On Tue, Aug 11, 2020 at 01:51:59PM +0100, Victor Ivanov wrote
> Yes that's one of the options you need to disable. The other one is
> "ChallengeResponseAuthentication" which will also disable PAM-based
> authentication (which may include passwords). So you should have the
> following global settings in /etc/ssh/ssd_config:
>
> PubkeyAuthentication yes
> PasswordAuthentication no
> ChallengeResponseAuthentication no
Victor (and Gerrit), in package.mask, I have...
sys-apps/pv
sys-auth/pambase
sys-libs/pam
virtual/pam
Does that work as well? Let's just say that years ago, when PAM was
the default on a new install, one of the first things I did after a
fresh install was to remove PAM. It caused more problems than it was
worth. "Everything you know is wrong". man pages and Google searches
for programs would point to the non-PAM version, with different config
files and settings. It was an absolute pain.
As for "pv", I occasionally fat-finger things as "emerge pv fubar",
when I actually want to "emerge -pv fubar". emerge will attempt to
install pv and any other package(s) on the commandline.
> If you so wish, you can also have configurations based on IP address
> and/or network. It can be useful as a "fallback" mechanism from trusted
> clients, e.g.:
>
> Match Address 192.168.1.0/24
> PasswordAuthentication yes
Here at home, I can walk 6 feet to the laptop if necessary so no need.
Let's be paranoid and assume that evil characters are scanning RFC 1918
addresses on Wifi networks at the coffee shop or where ever. BTW, the
only addresses I allow via iptables are the 192.168.1.0/24 range.
One more level of defense-in-depth. In case iptables fails due to an
"update", is it possible to "deny all except 192.168.1.0/24" in
sshd_config? Looking at Google, I think it would be something like...
Match Address !192.168.1.0/24
DenyUsers *
One more question... does sshd_config follow the python convention
that indentinting with spaces or tabs denotes a "block"?
--
Walter Dnes <waltd...@waltdnes.org>
I don't run "desktop environments"; I run useful applications
