On Mon, Oct 03, 2005 at 10:14:58AM -0500, Steve Block wrote: > Users can still connect to the server and type in their passwords on the > screen without any trouble. Public keys work fine as well. Am I right in > assuming that the password based scripted login attempts will fail even > if they somehow (heaven forbid) guess a valid password? Is there an easy > way to test this? I've only ever used keyboard-interactive login and > public keys.
No, the worms will still be able to compromise your machine if you've got keyboard-interactive enabled but password disabled. I've seen this from experience. At my site, which does not have local passwords on machines and thus have "PasswordAuthentication no" in /etc/ssh/sshd_config, we are still scanned daily and see sshd logs such as: Oct 4 09:44:54 sake sshd[11097]: Failed keyboard-interactive for illegal user temp from 217.171.66.41 port 56390 ssh2 > > Advice and insight are appreciated. > My advice is to discourage the use of passwords, but insist that if passwords are used, they must be good ones. Our kerberos passwords, for example, must be a minimum of 8 characters long and use multiple character classes. noah
signature.asc
Description: Digital signature