Gentoo Archives: gentoo-user

From: Victor Ivanov <vic.m.ivanov@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Disabling ssh password login on all accounts?
Date: Tue, 11 Aug 2020 12:52:16
Message-Id: eb77498b-63af-9014-bb85-dcc7ced347c1@gmail.com
In Reply to: [gentoo-user] Disabling ssh password login on all accounts? by Walter Dnes
1 On 11/08/2020 11:21, Walter Dnes wrote:
2 > The one sevice I have listening for external connections on my laptop
3 > is sshd (192.168.1.0/24). Before taking it anywhere, I want to prohibit
4 > password-based login for *ALL* accounts, not just root. This would
5 > require users to be listed in ~/.ssh/authorized_keys Looking through
6 > /etc/ssh/sshd_config I *THINK* that I need to set "no" at...
7 >
8 > # To disable tunneled clear text passwords, change to no here!
9 > #PasswordAuthentication yes
10 >
11 > Is that correct? If not, what is the correct setting to change?
12 >
13 Hi Walter,
14
15 Yes that's one of the options you need to disable. The other one is
16 "ChallengeResponseAuthentication" which will also disable PAM-based
17 authentication (which may include passwords). So you should have the
18 following global settings in /etc/ssh/ssd_config:
19
20 PubkeyAuthentication yes
21 PasswordAuthentication no
22 ChallengeResponseAuthentication no
23
24 PubkeyAuthentication should default to "yes" but it doesn't hurt to
25 explicitly set it in case the defaults ever change.
26
27 If you so wish, you can also have configurations based on IP address
28 and/or network. It can be useful as a "fallback" mechanism from trusted
29 clients, e.g.:
30
31 Match Address 192.168.1.0/24
32 PasswordAuthentication yes
33
34
35 - Victor

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-user] Disabling ssh password login on all accounts? Walter Dnes <waltdnes@××××××××.org>