了解 sshd 配置中的 PasswordAuthentication

我有一個僅支持密碼身份驗證的 OpenSSH 伺服器：

[martin@ ~]$ ssh -v 10.10.1.183 -l root
OpenSSH_5.2p1 FreeBSD-20090522, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 10.10.1.183 [10.10.1.183] port 22.
debug1: Connection established.
debug1: identity file /home/martin/.ssh/identity type 0
debug1: identity file /home/martin/.ssh/id_rsa type -1
debug1: identity file /home/martin/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7p1 Debian-5
debug1: match: OpenSSH_6.7p1 Debian-5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2p1 FreeBSD-20090522
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<2048<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '10.10.1.183' is known and matches the RSA host key.
debug1: Found key in /home/martin/.ssh/known_hosts:3
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: password
debug1: Next authentication method: password
root@10.10.1.183's password: 

換句話說，只有PasswordAuthenticationin serversshd_config文件設置為yes.

根據RFC 4252第 8 節It is up to the server how to interpret the password and validate it against the password database.，我在 Linux 中是否正確，這意味著如果在配置中被禁用，則sshd直接檢查/etc/passwd和/etc/shadow文件？UsePAM``sshd

我是否正確，在 Linux 中這意味著如果 sshd 配置中的 UsePAM 被禁用，sshd 會直接檢查 /etc/passwd 和 /etc/shadow 文件？

是的。但目前大多數發行版使用 pam 處理登錄，因為當今系統中的會話變得越來越複雜。OpenSSH 可以使用<shadow.h>標頭檔和其中定義的函式與影子通信。

有關更多資訊，請參見原始碼文件auth.c和auth-shadow.c

快速查看原始碼表明 auth-passwd.c 包含 <pwd.h> 和 auth-shadow.c 包含 <shadow.h>。無需深入研究，sshd 似乎確實使用系統呼叫來檢查密碼。還有一些程式碼允許需要 sshd 並對過期密碼進行密碼更改。

引用自：https://unix.stackexchange.com/questions/238914