[nycbug-talk] ssh password auth note

Yusuke Shinyama yusuke at cs.nyu.edu
Fri Apr 7 20:21:46 EDT 2006

Charles Sprickman <spork at bway.net> wrote:
> I've made it standard practice when I bring up a unix host that has ssh 
> open to the world to edit sshd_config and set it to only accept protocol 2 
> and to not allow passwords.
> PAM.  Hmmm.  So it appears that the option to disallow passwords is 
> basically circumvented by PAM.

Yes. This is one of common pitfalls in sshd settings.  But I'm
wondering why PAM is allowed as default in the first place.  I
usually set "UsePAM no" or don't even compile with.  PAM might be
nice solutions in some cases, but normally it seems unnecessarily
complicated to me.

Other sshd_config tidbits I could share is...

PermitRootLogin no
AllowGroups mygroup  (filter out users like bin, test or nobody)
Port xxx   (any number other than 22 - so that you can avoid passwd attacks)


More information about the talk mailing list