add comment about PAM auth to the Debian template (copied from the Gentoo one), as...

author Micah Anderson <micah@riseup.net>

Fri, 26 Sep 2008 20:59:55 +0000 (16:59 -0400)

committer Micah Anderson <micah@riseup.net>

Fri, 26 Sep 2008 20:59:55 +0000 (16:59 -0400)
author Micah Anderson <micah@riseup.net>
Fri, 26 Sep 2008 20:59:55 +0000 (16:59 -0400)
committer Micah Anderson <micah@riseup.net>
Fri, 26 Sep 2008 20:59:55 +0000 (16:59 -0400)
diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb

index 989fa62371d258706f22ccd0025b23626c78ee42..d9237c661b46fb0a715177c4b58c914b3ae558a1 100644 (file)
--- a/templates/sshd_config/Debian_normal.erb
+++ b/templates/sshd_config/Debian_normal.erb
@@ -86,6 +86,15 @@ KeepAlive yes
  
  #Subsystem     sftp    /usr/lib/sftp-server
  
+# Set this to 'yes' to enable PAM authentication, account processing, 
+# and session processing. If this is enabled, PAM authentication will 
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
  <%- if real_sshd_use_pam.to_s == 'yes' then %>
  UsePAM yes
  <%- else %>
author	Micah Anderson <micah@riseup.net>
	Fri, 26 Sep 2008 20:59:55 +0000 (16:59 -0400)
committer	Micah Anderson <micah@riseup.net>
	Fri, 26 Sep 2008 20:59:55 +0000 (16:59 -0400)