Thursday, May 28, 2009

netbsd ssh be careful

Riastradh Please be careful with disabling password authentication in NetBSD's sshd.
10:58 Riastradh If you simply put `PasswordAuthentication no' in /etc/ssh/sshd_config, that *won't* disable password authentication.
10:58 Riastradh That is, if you change the default configuration file to add that line, it won't disable password authentication.
10:58 Riastradh The reason is that elsewhere in the default /etc/ssh/sshd_config is the line `UsePam yes', which enables authentication by PAM, which by default accepts password authentication.
10:59 Riastradh So you must both add `PasswordAuthentication no' *and* either comment out `UsePam yes' or change it to `UsePam no'. (The default, in the sshd program that comes with NetBSD, is to disable it, but the default configuration file enables it.)
10:59 Riastradh If you think this state of affairs is absurd, please complain on the netbsd-users mailing list.
10:59 Riastradh Or on the tech-security mailing list.
10:59 Riastradh Or both.

No comments: