as noted by a few peeps: emerging openssh-4.6_p1 with USE=pam breaks logging in with passwords ... the new versions seems to have changed the meaning of PasswordAuthentication with openssh-4.5_p1: PasswordAuthentication = no UsePAM = yes you can log in with passwords which get authenticated via PAM with openssh-4.6_p1: PasswordAuthentication = no UsePAM = yes you can no longer log in via password you can the tell difference between the internal openssh and the pam doing the password check as pam presents a prompt like: Password: while the non-pam one looks like: user@host's password:
PasswordAuthentication yes UsePAM = yes does not enable PAM authentication at all... ChallengeResponseAuthentication yes UsePAM = yes or ChallengeResponseAuthentication yes PasswordAuthentication yes UsePAM = yes works. Plus ChallengeResponseAuthentication does NOT default to yes despite the manpage suggesting otherwise.
true ... looks like the moving of code out of auth2.c and into servconf.c caused this ... and looking through upstream cvs, this has been detected and fixed already: Move C/R -> kbdint special case to after the defaults have been loaded, which makes ChallengeResponse default to yes again. This was broken by the Match changes and not fixed properly subsequently. Found by okan at demirmen.com, ok djm@ "please do it" deraadt@ http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/servconf.c.diff?r1=1.170&r2=1.171 http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd.c.diff?r1=1.349&r2=1.350
openssh-4.6_p1-r1 in portage w/upstream fix