[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Securing SSH: Does disabling password authentication work?

On Mon, Oct 03, 2005 at 01:24:27PM -0700, Alvin Oga wrote:
On Mon, 3 Oct 2005, Steve Block wrote:
I'm afraid you didn't read at all, did you? Start from the top of the
thread and read again, and you'll see that my question had nothing to do

u sure do have an whacky attitude for being the one that is cracked

the answer still is no...  you are not any more secure
for the sme identical reasons posted previously that you didnt
read/understand to use your own words :-)

Who said anyone was cracked? I'm trying to take a proactive security
approach here.

Let me clarify. In a default debian/sarge install there are three
available SSH authentication options:

1) password
2) keyboard-interactive with pam (would allow auth against LDAP or any
other authentication method possible with pam)
3) public/private keys

According to what I can see from my logs, these automated attempts are
trying to use the first method to log in. The second method is what the
standard OpenSSH client uses by default when no keys are being used, and
the log report for a failed login of this type is different than for the
automated attempts. I prefer to use the third method myself, but like I
said I am unwilling to only allow that method.

I edited my ssh config file to disable the first method, leaving only 2)
and 3) available. With the second method a user can still log in with their system password (default pam configuration) but the authentication
is handled by pam and not the ssh server itself (I think). My users
obviously haven't noticed, and I still normally use keys. I just want to
know if it has made it impossible for the automated dictionary attacks
to log in (the current generation, anyways).

Sorry if I sounded snippy, it's just hard to find any solid info on

Steve Block

Reply to: