The password authentication method is set up by default, so it is easy to implement and requires no configuring. Since all communication is encrypted, passwords are not available for eavesdroppers.
On Windows, Tectia Server does not need a user management program of its own – the user accounts are created with the standard Windows User Manager.
Tectia Server will record a login failure for each failed password authentication attempt.
On Windows, password authentication uses the Windows password to authenticate the user at login time.
On a Unix system, password authentication uses the
/etc/shadow file, depending on how the passwords are set up. The shadow password files can be used on Linux and Solaris servers, but not on HP-UX or AIX servers.
To enable password authentication on the server, the
authentication-methods element of the
ssh-server-config.xml file must contain an
auth-password element. For example:
<authentication-methods> <authentication action="allow"> <auth-password failure-delay="2" max-tries="3" /> ... </authentication> </authentication-methods>
Also other authentication methods can be allowed.
By using selectors, it is possible to allow or require password authentication only for a specified group of users. For more information, see Using Selectors in Configuration File.
Using the Tectia Server Configuration tool, password authentication can be allowed on the Authentication page. See Authentication.
Passwords can also be used as a submethod in keyboard-interactive authentication. For more information, see Password Submethod.
Tectia Server allows users with empty passwords to log in by password authentication method.
On Windows, local users with empty password can be restricted to log on from physical console only by using security policy “Accounts: Limit local account use of blank passwords to console logon only”. If this policy is enabled (default), users with empty passwords cannot log on via Tectia Server using password authentication method. However, same users can still log on via Tectia Server using other authentication methods that do not involve using the account’s password.
The policy “Accounts: Limit local account use of blank passwords to console logon only” does not apply to domain accounts.