| 1 |
On Tue, Aug 11, 2020 at 01:51:59PM +0100, Victor Ivanov wrote |
| 2 |
|
| 3 |
> Yes that's one of the options you need to disable. The other one is |
| 4 |
> "ChallengeResponseAuthentication" which will also disable PAM-based |
| 5 |
> authentication (which may include passwords). So you should have the |
| 6 |
> following global settings in /etc/ssh/ssd_config: |
| 7 |
> |
| 8 |
> PubkeyAuthentication yes |
| 9 |
> PasswordAuthentication no |
| 10 |
> ChallengeResponseAuthentication no |
| 11 |
|
| 12 |
Victor (and Gerrit), in package.mask, I have... |
| 13 |
|
| 14 |
sys-apps/pv |
| 15 |
sys-auth/pambase |
| 16 |
sys-libs/pam |
| 17 |
virtual/pam |
| 18 |
|
| 19 |
Does that work as well? Let's just say that years ago, when PAM was |
| 20 |
the default on a new install, one of the first things I did after a |
| 21 |
fresh install was to remove PAM. It caused more problems than it was |
| 22 |
worth. "Everything you know is wrong". man pages and Google searches |
| 23 |
for programs would point to the non-PAM version, with different config |
| 24 |
files and settings. It was an absolute pain. |
| 25 |
|
| 26 |
As for "pv", I occasionally fat-finger things as "emerge pv fubar", |
| 27 |
when I actually want to "emerge -pv fubar". emerge will attempt to |
| 28 |
install pv and any other package(s) on the commandline. |
| 29 |
|
| 30 |
> If you so wish, you can also have configurations based on IP address |
| 31 |
> and/or network. It can be useful as a "fallback" mechanism from trusted |
| 32 |
> clients, e.g.: |
| 33 |
> |
| 34 |
> Match Address 192.168.1.0/24 |
| 35 |
> PasswordAuthentication yes |
| 36 |
|
| 37 |
Here at home, I can walk 6 feet to the laptop if necessary so no need. |
| 38 |
Let's be paranoid and assume that evil characters are scanning RFC 1918 |
| 39 |
addresses on Wifi networks at the coffee shop or where ever. BTW, the |
| 40 |
only addresses I allow via iptables are the 192.168.1.0/24 range. |
| 41 |
|
| 42 |
One more level of defense-in-depth. In case iptables fails due to an |
| 43 |
"update", is it possible to "deny all except 192.168.1.0/24" in |
| 44 |
sshd_config? Looking at Google, I think it would be something like... |
| 45 |
|
| 46 |
Match Address !192.168.1.0/24 |
| 47 |
DenyUsers * |
| 48 |
|
| 49 |
One more question... does sshd_config follow the python convention |
| 50 |
that indentinting with spaces or tabs denotes a "block"? |
| 51 |
|
| 52 |
-- |
| 53 |
Walter Dnes <waltdnes@××××××××.org> |
| 54 |
I don't run "desktop environments"; I run useful applications |
Archives