1 |
On Tue, Aug 11, 2020 at 01:51:59PM +0100, Victor Ivanov wrote |
2 |
|
3 |
> Yes that's one of the options you need to disable. The other one is |
4 |
> "ChallengeResponseAuthentication" which will also disable PAM-based |
5 |
> authentication (which may include passwords). So you should have the |
6 |
> following global settings in /etc/ssh/ssd_config: |
7 |
> |
8 |
> PubkeyAuthentication yes |
9 |
> PasswordAuthentication no |
10 |
> ChallengeResponseAuthentication no |
11 |
|
12 |
Victor (and Gerrit), in package.mask, I have... |
13 |
|
14 |
sys-apps/pv |
15 |
sys-auth/pambase |
16 |
sys-libs/pam |
17 |
virtual/pam |
18 |
|
19 |
Does that work as well? Let's just say that years ago, when PAM was |
20 |
the default on a new install, one of the first things I did after a |
21 |
fresh install was to remove PAM. It caused more problems than it was |
22 |
worth. "Everything you know is wrong". man pages and Google searches |
23 |
for programs would point to the non-PAM version, with different config |
24 |
files and settings. It was an absolute pain. |
25 |
|
26 |
As for "pv", I occasionally fat-finger things as "emerge pv fubar", |
27 |
when I actually want to "emerge -pv fubar". emerge will attempt to |
28 |
install pv and any other package(s) on the commandline. |
29 |
|
30 |
> If you so wish, you can also have configurations based on IP address |
31 |
> and/or network. It can be useful as a "fallback" mechanism from trusted |
32 |
> clients, e.g.: |
33 |
> |
34 |
> Match Address 192.168.1.0/24 |
35 |
> PasswordAuthentication yes |
36 |
|
37 |
Here at home, I can walk 6 feet to the laptop if necessary so no need. |
38 |
Let's be paranoid and assume that evil characters are scanning RFC 1918 |
39 |
addresses on Wifi networks at the coffee shop or where ever. BTW, the |
40 |
only addresses I allow via iptables are the 192.168.1.0/24 range. |
41 |
|
42 |
One more level of defense-in-depth. In case iptables fails due to an |
43 |
"update", is it possible to "deny all except 192.168.1.0/24" in |
44 |
sshd_config? Looking at Google, I think it would be something like... |
45 |
|
46 |
Match Address !192.168.1.0/24 |
47 |
DenyUsers * |
48 |
|
49 |
One more question... does sshd_config follow the python convention |
50 |
that indentinting with spaces or tabs denotes a "block"? |
51 |
|
52 |
-- |
53 |
Walter Dnes <waltdnes@××××××××.org> |
54 |
I don't run "desktop environments"; I run useful applications |