Hello everyone,
We are setting up a server at work, and we have run into something that I am not sure how to resolve.
We have set up sshd (OpenSSH server) on the machine. We have placed ssh keys into each user's home directory that needs to access the system (and they work). We want to disable everyone from logging in, using a password, utilizing ssh keys only to access the system.
I have modified /etc/ssh/sshd_conf to have these settings: ChallengeResponseAuthentication no PasswordAuthentication no UsePAM no
I then restarted the ssh daemon (/etc/init.d/sshd restart), but it still allows the user to login using their password. What am I missing?
Searching google, only turned up the changes that I made above, so I am unclear what else that I need to do. Any guidance would be greatly appreciated. -- Doug
Registered Linux User #285548 (http://counter.li.org) ---------------------------------------- Random Thought: If all else fails, immortality can always be assured by spectacular error. -- John Kenneth Galbraith
We have set up sshd (OpenSSH server) on the machine. We have placed ssh keys into each user's home directory that needs to access the system (and they work). We want to disable everyone from logging in, using a password, utilizing ssh keys only to access the system.
I have modified /etc/ssh/sshd_conf to have these settings: ChallengeResponseAuthentication no PasswordAuthentication no UsePAM no
The config file for sshd is "/etc/ssh/sshd_config" You have modified the config file for the ssh client. Just make sure sshd_config has PasswordAuthentication No and restart sshd and you should be fine.
Barry
On Wed, 2007-02-07 at 22:24 -0600, Barry Brimer wrote:
The config file for sshd is "/etc/ssh/sshd_config" You have modified the config file for the ssh client. Just make sure sshd_config has PasswordAuthentication No and restart sshd and you should be fine.
Thank Barry. Actually, I did change sshd_config, but evidentally, I forgot something. I went back through things today and it worked this time.
Thanks. -- Doug
Registered Linux User #285548 (http://counter.li.org) ---------------------------------------- Random Thought: Maturity is only a short break in adolescence. -- Jules Feiffer
Ski Dawg wrote:
Hello everyone,
We are setting up a server at work, and we have run into something that I am not sure how to resolve.
We have set up sshd (OpenSSH server) on the machine. We have placed ssh keys into each user's home directory that needs to access the system (and they work). We want to disable everyone from logging in, using a password, utilizing ssh keys only to access the system.
I have modified /etc/ssh/sshd_conf to have these settings: ChallengeResponseAuthentication no PasswordAuthentication no UsePAM no
I then restarted the ssh daemon (/etc/init.d/sshd restart), but it still allows the user to login using their password. What am I missing?
Searching google, only turned up the changes that I made above, so I am unclear what else that I need to do. Any guidance would be greatly appreciated. -- Doug
I would advice these changes to the "default" sshd_config settings:
PermitRootLogin without-password AuthorizedKeysFile /just_a_dir/authorized_keys/%u PasswordAuthentication no UsePAM yes
This will give you control of access if at least the /just_a_dir/authorized_keys folder is not writeable for the world (the keys need to readable, not writeable for the user that tries to log on)
Theo
PermitRootLogin without-password AuthorizedKeysFile /just_a_dir/authorized_keys/%u PasswordAuthentication no UsePAM yes
This will give you control of access if at least the /just_a_dir/authorized_keys folder is not writeable for the world (the keys need to readable, not writeable for the user that tries to log on)
Setting "PermitRootLogin without-password" doesn't help your authorized_keys issue, doesn't do anything to make ssh keys work better, and just opens you up to a whole world of issues in the event of some sort of a security problem.
I personally set "PermitRootLogin no" on anything I allow direct access from the outside world to.
Setting the AuthorizedKeysFile to anything other than ~/.ssh/authorized_keys seems ludicrous to me as well. It's not like a user can do anything with that file other than add to it, or steal public keys from machines that are allowed to login to it without a password, thereby allowing either a different machine to log into that machine without a password, or propagating the machines your trusted hosts can log into without a password.
Personally, too much trust is a bad thing. If you need to automate stuff, do it on locked-down user accounts and give them permissions to put the stuff where they need to go, or cron something to check for the data and move it.
Peter
Peter Serwe wrote:
PermitRootLogin without-password AuthorizedKeysFile /just_a_dir/authorized_keys/%u PasswordAuthentication no UsePAM yes
This will give you control of access if at least the /just_a_dir/authorized_keys folder is not writeable for the world (the keys need to readable, not writeable for the user that tries to log on)
Setting "PermitRootLogin without-password" doesn't help your authorized_keys issue, doesn't do anything to make ssh keys work better, and just opens you up to a whole world of issues in the event of some sort of a security problem.
The reason it's still open for root (with key), is that it's being synced to a remote mirror. Indeed closing the access is always better.
I personally set "PermitRootLogin no" on anything I allow direct access from the outside world to.
Setting the AuthorizedKeysFile to anything other than ~/.ssh/authorized_keys seems ludicrous to me as well. It's not like a user can do anything with that file other than add to it, or steal public keys from machines that are allowed to login to it without a password, thereby allowing either a different machine to log into that machine without a password, or propagating the machines your trusted hosts can log into without a password.
Personally, too much trust is a bad thing. If you need to automate stuff, do it on locked-down user accounts and give them permissions to put the stuff where they need to go, or cron something to check for the data and move it.
Well I like to control what is in the public keys. This way I can limit acces based on IP. Some users only have access to CVS.
Theo
On Thu, 2007-02-08 at 16:55 +0100, Theo Band wrote:
I would advice these changes to the "default" sshd_config settings:
PermitRootLogin without-password AuthorizedKeysFile /just_a_dir/authorized_keys/%u PasswordAuthentication no UsePAM yes
This will give you control of access if at least the /just_a_dir/authorized_keys folder is not writeable for the world (the keys need to readable, not writeable for the user that tries to log on)
Like someone else has mentioned, we do not allow remote root logins of any kind. In fact, we have disabled root from logging in at all (even from the console). We set up sudo for users that may need root privileges.
We decided to do this as sudo gives better logging options of anything that happens while root. If there was anytime where we actually need a full root prompt, we could always do sudo -s to get a full root prompt. -- Doug
Registered Linux User #285548 (http://counter.li.org) ---------------------------------------- Random Thought: What is comedy? Comedy is the art of making people laugh without making them puke. -- Steve Martin
-
Barry Brimer -
Peter Serwe -
Ski Dawg -
Theo Band