[nycbug-talk] ssh password auth note
Yusuke Shinyama
yusuke at cs.nyu.edu
Fri Apr 7 20:21:46 EDT 2006
Charles Sprickman <spork at bway.net> wrote:
>
> I've made it standard practice when I bring up a unix host that has ssh
> open to the world to edit sshd_config and set it to only accept protocol 2
> and to not allow passwords.
(snip)
>
> PAM. Hmmm. So it appears that the option to disallow passwords is
> basically circumvented by PAM.
Yes. This is one of common pitfalls in sshd settings. But I'm
wondering why PAM is allowed as default in the first place. I
usually set "UsePAM no" or don't even compile with. PAM might be
nice solutions in some cases, but normally it seems unnecessarily
complicated to me.
Other sshd_config tidbits I could share is...
PermitRootLogin no
AllowGroups mygroup (filter out users like bin, test or nobody)
Port xxx (any number other than 22 - so that you can avoid passwd attacks)
Yusuke
More information about the talk
mailing list