1 |
On 11/08/2020 11:21, Walter Dnes wrote: |
2 |
> The one sevice I have listening for external connections on my laptop |
3 |
> is sshd (192.168.1.0/24). Before taking it anywhere, I want to prohibit |
4 |
> password-based login for *ALL* accounts, not just root. This would |
5 |
> require users to be listed in ~/.ssh/authorized_keys Looking through |
6 |
> /etc/ssh/sshd_config I *THINK* that I need to set "no" at... |
7 |
> |
8 |
> # To disable tunneled clear text passwords, change to no here! |
9 |
> #PasswordAuthentication yes |
10 |
> |
11 |
> Is that correct? If not, what is the correct setting to change? |
12 |
> |
13 |
Hi Walter, |
14 |
|
15 |
Yes that's one of the options you need to disable. The other one is |
16 |
"ChallengeResponseAuthentication" which will also disable PAM-based |
17 |
authentication (which may include passwords). So you should have the |
18 |
following global settings in /etc/ssh/ssd_config: |
19 |
|
20 |
PubkeyAuthentication yes |
21 |
PasswordAuthentication no |
22 |
ChallengeResponseAuthentication no |
23 |
|
24 |
PubkeyAuthentication should default to "yes" but it doesn't hurt to |
25 |
explicitly set it in case the defaults ever change. |
26 |
|
27 |
If you so wish, you can also have configurations based on IP address |
28 |
and/or network. It can be useful as a "fallback" mechanism from trusted |
29 |
clients, e.g.: |
30 |
|
31 |
Match Address 192.168.1.0/24 |
32 |
PasswordAuthentication yes |
33 |
|
34 |
|
35 |
- Victor |