Securing SSH: Does disabling password authentication work?
Like most everyone who runs an SSH server on the standard port (22), I
get frequent dictionary based access attempts. They don't worry me
greatly, since I have only a few users and somewhat draconian password
policies, but I am still interested in taking a proactive approach to
SSH security.
I looked at my logs and found that every one of these attacks used
password authentication when trying to authenticate to the server. This
gave me the idea that I could disable password authentication while
leaving the keyboard-interactive (through pam) and public key based
systems active.
Running ssh -v now reports the following
debug1: Authentications that can continue: publickey,keyboard-interactive
Users can still connect to the server and type in their passwords on the
screen without any trouble. Public keys work fine as well. Am I right in
assuming that the password based scripted login attempts will fail even
if they somehow (heaven forbid) guess a valid password? Is there an easy
way to test this? I've only ever used keyboard-interactive login and
public keys.
Also, I can't switch to only allow key based logins because
some of my users are also whiners and any change I made that required
them to go do work like generating keys would result in a lot of
complaining. There are also times when I need to log in from another
machine and don't have my keys handy.
Advice and insight are appreciated.
--
Steve Block
http://ev-15.com/
http://steveblock.com/
scblock@ev-15.com
Reply to: