[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Securing SSH: Does disabling password authentication work?

On Mon, Oct 03, 2005 at 10:14:58AM -0500, Steve Block wrote:
> Users can still connect to the server and type in their passwords on the
> screen without any trouble. Public keys work fine as well. Am I right in
> assuming that the password based scripted login attempts will fail even
> if they somehow (heaven forbid) guess a valid password? Is there an easy
> way to test this? I've only ever used keyboard-interactive login and
> public keys.

No, the worms will still be able to compromise your machine if you've
got keyboard-interactive enabled but password disabled.  I've seen this
from experience.  At my site, which does not have local passwords on
machines and thus have "PasswordAuthentication no" in
/etc/ssh/sshd_config, we are still scanned daily and see sshd logs such
Oct  4 09:44:54 sake sshd[11097]: Failed keyboard-interactive for illegal user temp from port 56390 ssh2

> Advice and insight are appreciated.

My advice is to discourage the use of passwords, but insist that if
passwords are used, they must be good ones.  Our kerberos passwords, for
example, must be a minimum of 8 characters long and use multiple
character classes.


Attachment: signature.asc
Description: Digital signature

Reply to: