Secure my SSH
April 22, 2010 12:42 PM Subscribe
SSHFilter: I'm trying to disable authentication by password for SSH users accessing a server from a remote location. By everything I've read it seems like I've done exactly that, but I can still log in from a remote machine using a password only. Help me get that to stop.
So, I've gone into /etc/sshd_config and edited the permissions there. Specifically, I changed it to
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
and have since completely restarted the server. Now on account X, if I remove authorized_keys from the ~/.ssh directory, I can still access that account remotely using only a password. Shouldn't that not happen?
I also tried the following change in /etc/ssh_config
PasswordAuthentication no
but that didn't do anything either.
It's a Mac Server running Server OS X 10.6.3
My last option, SSH aside, is to go into Workgroup Manager and disable password login access for each account (under Advanced -> Options), which means the only way to access it would be via the SSH keypair. However, when I'm trying to do that as the admin, it tells me that I am unauthorized. I can make it so people cannot access their account at all but I can't only disable the password login.
So, I've gone into /etc/sshd_config and edited the permissions there. Specifically, I changed it to
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
and have since completely restarted the server. Now on account X, if I remove authorized_keys from the ~/.ssh directory, I can still access that account remotely using only a password. Shouldn't that not happen?
I also tried the following change in /etc/ssh_config
PasswordAuthentication no
but that didn't do anything either.
It's a Mac Server running Server OS X 10.6.3
My last option, SSH aside, is to go into Workgroup Manager and disable password login access for each account (under Advanced -> Options), which means the only way to access it would be via the SSH keypair. However, when I'm trying to do that as the admin, it tells me that I am unauthorized. I can make it so people cannot access their account at all but I can't only disable the password login.
Response by poster: Yep, they were all commented out. UNIX n00b, so I didn't realize that's what # meant. I should have figured it out since all the comments had that in front of them but oh well.
Thanks alot!
posted by scrutiny at 1:00 PM on April 22, 2010
Thanks alot!
posted by scrutiny at 1:00 PM on April 22, 2010
This thread is closed to new comments.
Secondly, I'd double check that sshd is using the same sshd_config that you're editing.
posted by rhizome at 12:48 PM on April 22, 2010