openssh-3.9_p1 behaves differently if PAM is switched off either during compile time (see "A" below) or via configuration file (see "B" below). Common configuration in both cases in /etc/ssh/sshd_config: PasswordAuthentication no #UsePAM no (All other lines in the file are as installed by the package.) app-admin/skey is installed and configured. Steps to Reproduce "A": 1. Unset "pam" useflag 2. emerge openssh, restart sshd 3. ssh from remote machine Actual Results "A": Behaviour is as expected: $ ssh user@host otp-md5 89 foo1234567 S/Key Password: [... login succeeds] Steps to Reproduce "B": 1. Set "pam" useflag 2. emerge openssh, restart sshd 3. ssh from remote machine Actual Results "B": No password prompt appears and login is immediately refused: $ ssh user@host Permission denied (publickey,keyboard-interactive). $ Expected Results: The behaviour of sshd should be identical in cases A and B (and should be as in case A).
Created attachment 40404 [details, diff] patch for auth2-chall.c Throughout the openssh source, "#ifdef USE_PAM" is always followed by "if (options.use_pam)", except for this one case in function privsep_challenge_enable.
Created attachment 40414 [details] Debug output from server log for case B The last lines of the "sshd -ddd" log show output from sshpam_init_ctx, in spite of UsePAM being switched off.
Created attachment 40456 [details, diff] proposed patch for auth2-chall.c
Please note that this bug is fixed by upstream. See URL.
Commited, thanks!