On 10/10/2013 03:12 PM, David C. Miller wrote: > SSH by default will use a key pair if found but then drops back to > login password. It will also fall back to password if the keypair has > a passphrase and you just hit retrun without type it in. SSH won't > allow you to connect because the password in the shadow file is blank. > Basically if you don't have a password it should not allow you to > login regardless. From a security standpoint it makes sense to never > allow blank passwords. Just give the account a long 25 character > random password and then setup SSH key pairs.
From what I read, it sounds like you are saying that you can't log in with keypairs unless a password has been set. If so, this appears to be incorrect, at least as of CentOS 6. To test this, I did the following: [root@norman ~]# adduser testnopw [root@norman ~]# su - testnopw [testnopw@norman ~]$ mkdir .ssh && chmod 600 .ssh; [testnopw@norman ~]$ nano .ssh/authorized_keys < - pasted id_dsa.pub from another account -> [testnopw@norman ~]$ chmod 600 .ssh/authorized_keys Now, as another account on the same server: [bens@norman] ssh testnopw@localhost Enter passphrase for key '/home/bens/.ssh/id_dsa': [testnopw@norman ~]$ Never, in the above script, was a password set. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
