[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
bin/41812: sshd config enables both password *and* pam (keyboard-interactive)
>Synopsis: as shipped, sshd enables both password and PAM. thus securing
>requires turning off both.
>Arrival-Date: Tue Aug 04 07:30:00 +0000 2009
>Originator: George Michaelson
>Release: NetBSD 5.0
System: NetBSD sploid 5.0 NetBSD 5.0 (GENERIC) #0: Sun Apr 26 18:50:08 UTC 2009
ok. So, I decided to enable SSH key-only access back to my home host. But, it
turns out that you can't disable password login with one sshd_config change:
you have to BOTH disable PAM and the password entry. Because, one is 'password'
and the other is 'keyboard-interactive' (duh! like, is that not the same thing?)
run a 5.0 install, try and disable ssh login access with password
man sshd | grep eyboard-interactive no match
man sshd_config | grep eyboard-interactive no match
man sshd | grep -i pam no match
man sshd_config | grep -i pam no match
Hmm. so, the default turns ON pam, but, doesn't document the implications?
I'd suggest something like:
By default, sshd is shipped in NetBSD 5.0 with password login accepted
from both PAM and normal login processing. If you want a more secure
sshd, you should probably restrict it to key-based authentication only.
To disable password login, you must define BOTH the
settings in /etc/sshd/sshd_config
Main Index |
Thread Index |