| View previous topic :: View next topic |
| Author |
Message |
netboy1977
Tux's lil' helper
Joined: 29 Mar 2005
Posts: 76
Location: Muenster/Germany
|
 Posted: Sun Oct 16, 2005 9:58 am Post subject: [solved] ssh with pubkey auth - password auth not allowed |
 |
|
I set up ssh with pubkeys for auth using the autorized_keys file.
This works fine. However, currently user have the choice to authenticate with ssh via pubkey or via password.
I want to disallow password authentication since pubkeys are safer.
Thus I set
in /etc/sshd_config
| Code: |
PasswordAuthentication [b]no[/b]
|
Unfortunatley this configuration did not have any effect. I understand that it might be bypasses by PAM.
But how do I disable password authentication in PAM?
Thank you!
Dominik
/etc/sshd_config
# $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
UsePAM yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
# no default banner path
#Banner /some/path
# override default of no subsystems
Subsystem sftp /usr/lib/misc/sftp-server
Last edited by netboy1977 on Sun Oct 16, 2005 12:08 pm; edited 1 time in total |
|
| Back to top |
|
 |
krinn
Watchman
Joined: 02 May 2003
Posts: 7470
|
| Posted: Sun Oct 16, 2005 10:21 am Post subject: Re: ssh with pubkey auth - password auth not allowed |
|
|
| netboy1977 wrote: |
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
|
Try to set both to no. |
|
| Back to top |
|
|
netboy1977
Tux's lil' helper
Joined: 29 Mar 2005
Posts: 76
Location: Muenster/Germany
|
| Posted: Sun Oct 16, 2005 12:08 pm Post subject: |
|
|
solved.
since I did not have pam_ssh.so on my system I figured out that PAM merely does password authentication for ssh but ssh is responsible for pubkey-authentication.
I just disabeld in
/etc/ssh/sshd_config:
That it! |
|
| Back to top |
|
|
Per Olav
n00b
Joined: 15 Sep 2004
Posts: 42
Location: Norway
|
| Posted: Sat Nov 12, 2005 12:16 am Post subject: |
|
|
Thanks, this helped me  |
|
| Back to top |
|
|
yottabit
Guru
Joined: 11 Nov 2002
Posts: 313
Location: Columbus, Ohio, US
|
|
| Back to top |
|
|
|
Networking & Security
