NetBSD Problem Report #60172

From www@netbsd.org  Thu Apr  2 20:03:13 2026
Return-Path: <www@netbsd.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits)
	 client-signature RSA-PSS (2048 bits))
	(Client CN "mail.netbsd.org", Issuer "R12" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 407761A9239
	for <gnats-bugs@gnats.NetBSD.org>; Thu,  2 Apr 2026 20:03:13 +0000 (UTC)
Message-Id: <20260402200312.097021A923C@mollari.NetBSD.org>
Date: Thu,  2 Apr 2026 20:03:11 +0000 (UTC)
From: david@gutteridge.ca
Reply-To: david@gutteridge.ca
To: gnats-bugs@NetBSD.org
Subject: sshd_config(5) man page vs. config file discrepancy with UsePAM and authentication
X-Send-Pr-Version: www-1.0
X-From4GNATS: "david@gutteridge.ca via gnats" <gnats-admin@NetBSD.org>

>Number:         60172
>Category:       bin
>Synopsis:       sshd_config(5) man page vs. config file discrepancy with UsePAM and authentication
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          doc-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Apr 02 20:05:00 +0000 2026
>Originator:     David H. Gutteridge
>Release:        HEAD
>Organization:
TNF
>Environment:
NetBSD arcusxx.nonus-porta.net 11.99.5 NetBSD 11.99.5 (GENERIC) #0: Wed Mar 11 05:11:56 UTC 2026  mkrepro@mkrepro.NetBSD.org:/usr/src/sys/arch/amd64/compile/GENERIC amd64
>Description:
The UsePAM documentation in sshd_config(5) states:

"Because PAM keyboard-interactive authentication usually serves an
equivalent role to password authentication, you should disable
either PasswordAuthentication or KbdInteractiveAuthentication."

However, the default sshd_config file that ships with NetBSD has
UsePAM=yes set (as an override), and both PasswordAuthentication and
KbdInteractiveAuthentication are enabled (by default).

These would seem to contradict each other. Either more detail is needed
in the man page, or the default configuration should probably be
adjusted. (Uncertain if this is a doc bug or a config bug, I'm filing
under the former.)
>How-To-Repeat:

>Fix:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.47 2022/09/11 19:34:41 kim Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2026 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.