Hello
In Panther, I could edit /etc/sshd_config and set PermitEmptyPasswords no and users without a password would not be allowed to log in.
In Tiger I do the same and the users with empty passwords can log in.
Is it that launchd does not read that config file?
Help please

PS. In case you may wonder why would I leave a user with a blank password, it's my mother who just needs to find her name and login with a click.

In case you may wonder why would I leave a user with a blank password, it's my mother who just needs to find her name and login with a click.

It is a (small) security hole to have a local user who has no password even if you think no-one else will have physical access to the machine.
I'm sure your mother can learn to type in at least a short password.

I don't know the answer to your question but I think I recall another thread (or maybe an article on the main macosxhints site) that talked about using the sshd_config file in Tiger.

Despite the fact that /etc/sshd_config lists
#UsePAM no
the actual default for PAM is 'yes'.
So try uncommenting this line so that it says
UsePAM no

I had a similar problem and this fixed it for me. Despite setting PasswordAuthentication to 'no', it still allowed password authentication. I filed a bug report with Apple, who wrote back mentioning the above and admitting that the line
#UsePam no
is the opposite of the convention where the default is listed on the commented lines. The thread is here somewhere where I went through my version of this.

PS: Here (http://forums.macosxhints.com/showthread.php?t=39260) it is.

Yeah, that was the problem. Once I uncommented the line UsePAM no everything worked as expected.
Thanks

Well, now I can't remotely login into my computer from a remote location after setting UsePAM no. I get the following error message:

Permission denied (gssapi-with-mic,publickey,gssapi,password,keyboard-interactive).

How do I fix this?

Do you ordinarily use passwords, or do you generate a key using a passphrase:
ssh-keygen -t dsa -N SomeSecurePassPhraseYouMadeUp
and then put the public component of the key in the appropriate place on the remote server?

In the case that we can't get this to work otherwise, there are two alternatives.

A. From the man pages for sshd_config:
UsePAM Enables PAM authentication (via challenge-response) and session
set up. If you enable this, you should probably disable
PasswordAuthentication. If you enable then you will not be able
to run sshd as a non-root user. The default is ``no''.

As mentioned above, despite the fact that this says the default for UsePAM is 'no', the default really is 'yes' on Tiger 10.4.0 and 10.4.1. So you could comment out
UsePAM no
again (so that it would really be 'yes'), and then uncomment the line for PasswordAuthentication and change it to:
PasswordAuthentication no
and this would probably prevent someone from getting into your Mother's account.

B. If you usually get in with your password, then plan A would not be good and you would want to leave sshd_config with the following lines commented out and:
#PasswordAuthentication yes
#UsePAM no
and then add the line:
AllowUsers sshUser
and/or
DenyUsers yourMother

where sshUser is a user account you want to be able to log into. Naturally, both AllowUsers and DenyUsers would not need to be done, and AllowUsers would be preferable, but I saw an opporunity to say 'yourMother' in a non-negative setting and I took it. ;)

...So, since Apple has shipped Tiger by default saying both
PasswordAuthentication 'yes'
and
UsePAM 'yes'
they have distributed an /etc/sshd_config file which they admit sets up an ssh which is less than ideal.

I did what you said and it works as I expected. By the way, I started laughing at work when I read "yourMother".
What's the benefit of using PAM? What if I disable it?

What's the benefit of using PAM? What if I disable it?
To tell you the truth, when it comes to the unix side, I fly by the seat of my pants, learning what I need when I need it and other things as I have time. So I don't know the answer to that.

Typing 'man PAM' directed me to look for /etc/pam.d which I found. The contents of /etc/pam.d/ are
chkpasswd ftpd other sshd sudo
cups login passwd su
and the contents of the file sshd inside are
# login: auth account password session
auth required pam_nologin.so
auth optional pam_afpmount.so
auth sufficient pam_securityserver.so
auth sufficient pam_unix.so
auth required pam_deny.so
account required pam_permit.so
password required pam_deny.so
session required pam_permit.so
session optional pam_afpmount.so
Based upon the man page it seems that it might have its roots in linux. So as I have time next week I might look these over. It might be valuable to know something about it, since it overrides some of the settings in /etc/sshd_config when PAM is enabled. Perhaps hayne or some others might check in here and help us out.

Which one did you choose to get things to work?

I do the same for my children.

To protect it I designate only certain (password-protected) accounts that can be accessed by putting in

AllowUsers myname anothername

One thing I noticed when one of my machines was under attack by a script kiddie is that if the cracker tried a nonexistent username, it would fail immediately. Once I set AllowUsers to only those names I would specifically allow, the break-in attempt with a username guess would hang for several minutes before timing out, thus making my machines an unpleasant target.

Here is what it said for PAM in Panther's /etc/sshd_config
# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt no
This was more informative.