add comment about PAM auth to the Debian template (copied from the Gentoo one), as its useful info to

have available, due to the complexity of the option
author: Micah Anderson <micah@riseup.net> 2008-09-26 16:59:55 -0400
committer: Micah Anderson <micah@riseup.net> 2008-09-26 16:59:55 -0400
commit: d6f9d64d9b0d8befcf7437b2fe69b6e378971794 (patch)
tree: d101cc92c2e2dde564188c992ff3884276153d35 /templates
parent: 3bd90d741c35ae242befd955566e3f28cf76b81b (diff)
download: puppet-sshd-d6f9d64d9b0d8befcf7437b2fe69b6e378971794.tar.gz
puppet-sshd-d6f9d64d9b0d8befcf7437b2fe69b6e378971794.tar.bz2
1 files changed, 9 insertions, 0 deletions
diff --git a/templates/sshd_config/Debian_normal.erb b/templates/sshd_config/Debian_normal.erb
index 989fa62..d9237c6 100644
--- a/templates/sshd_config/Debian_normal.erb
+++ b/templates/sshd_config/Debian_normal.erb
@@ -86,6 +86,15 @@ KeepAlive yes
 
 #Subsystem	sftp	/usr/lib/sftp-server
 
+# Set this to 'yes' to enable PAM authentication, account processing, 
+# and session processing. If this is enabled, PAM authentication will 
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
 <%- if real_sshd_use_pam.to_s == 'yes' then %>
 UsePAM yes
 <%- else %>
author	Micah Anderson <micah@riseup.net>	2008-09-26 16:59:55 -0400
committer	Micah Anderson <micah@riseup.net>	2008-09-26 16:59:55 -0400
commit	d6f9d64d9b0d8befcf7437b2fe69b6e378971794 (patch)
tree	d101cc92c2e2dde564188c992ff3884276153d35 /templates
parent	3bd90d741c35ae242befd955566e3f28cf76b81b (diff)
download	puppet-sshd-d6f9d64d9b0d8befcf7437b2fe69b6e378971794.tar.gz puppet-sshd-d6f9d64d9b0d8befcf7437b2fe69b6e378971794.tar.bz2