[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Securing SSH: Does disabling password authentication work?

Like most everyone who runs an SSH server on the standard port (22), I
get frequent dictionary based access attempts. They don't worry me
greatly, since I have only a few users and somewhat draconian password
policies, but I am still interested in taking a proactive approach to
SSH security.

I looked at my logs and found that every one of these attacks used
password authentication when trying to authenticate to the server. This
gave me the idea that I could disable password authentication while
leaving the keyboard-interactive (through pam) and public key based
systems active.

Running ssh -v now reports the following
debug1: Authentications that can continue: publickey,keyboard-interactive

Users can still connect to the server and type in their passwords on the
screen without any trouble. Public keys work fine as well. Am I right in
assuming that the password based scripted login attempts will fail even
if they somehow (heaven forbid) guess a valid password? Is there an easy
way to test this? I've only ever used keyboard-interactive login and
public keys.

Also, I can't switch to only allow key based logins because
some of my users are also whiners and any change I made that required
them to go do work like generating keys would result in a lot of
complaining. There are also times when I need to log in from another
machine and don't have my keys handy.

Advice and insight are appreciated.

Steve Block

Reply to: