Bug#109846: sshd: disabling passwords is confusing

To: 109846@bugs.debian.org
Subject: Bug#109846: sshd: disabling passwords is confusing
From: Matthew Foulkes <m.foulkes@blueyonder.co.uk>
Date: Sat, 21 May 2005 13:20:54 +0100
Message-id: <[🔎] 20050521122054.GA5941@kelp>
Reply-to: m.foulkes@imperial.ac.uk, 109846@bugs.debian.org

Hi,

I too have been bitten by this. Having set

  PasswordAuthentication no 
  
in /etc/sshd_config on sid, it took me several months 
(until I accidentally deleted my authorized_keys file) 
to realise that password authentication was still possible.

The sshd and sshd_config man pages do not explain that it 
is necessary to set 

  PasswordAuthentication no
  
and at least one of:

  ChallengeResponseAuthentication no
  UsePAM no

to disable password-based authentication completely.

I guess there are plenty of other Debian users running 
systems with weak passwords, unaware that they may be
vulnerable because their ssh setup is weaker than they
thought.

Better documentation would help here, preferably in 
/etc/sshd_config.

Matthew

-- 
******************************************************************
                   Matthew Foulkes

 Department of Physics    phone: (020) 7594 7607
 Imperial College London  fax:   (020) 7594 7604
 Prince Consort Road      email: m.foulkes@imperial.ac.uk
 London SW7 2BW           www:   www.imperial.ac.uk/research/cmth
******************************************************************

Reply to:

Prev by Date: Bug#228064: ssh: remote port forwarding (-R) binds always to locast (ignores -g)
Next by Date: Processed: closing 283703
Previous by thread: Bug#228064: ssh: remote port forwarding (-R) binds always to locast (ignores -g)
Next by thread: Processed: closing 283703
Index(es):
- Date
- Thread