Hi James. Why not use two keys to avoid using a static passphrase? -----Original Message----- From: McIntyre, James T. (Farragut Suitland, MD) [mailto:[email protected]] Sent: Monday, June 12, 2017 9:18 AM To: [email protected] Subject: RE: [Non-DoD Source] Re: Disabling passwords in the cloud
Not sure I understand the complete question. We do person by person as in loading up authorized_keys with the personal rsa.pub key such as: cat .ssh/id_rsa.pub | ssh b@B 'cat >> .ssh/authorized_keys'. Will ask you for password to complete the task. Once done, should not ask for password until key changes. The .ssh lives in the home folder of each user so that each user has a unique key loaded into their remote home folder. This gives us passwordless ssh as well as positive identity of each individual to load them into the proper account. Same goes for root so that root will ssh into root. Recompiling, must not. Positive ID, must have. Am I way off base? -----Original Message----- From: Shawn Wells [mailto:[email protected]] Sent: Thursday, June 08, 2017 10:28 PM To: [email protected] Subject: [Non-DoD Source] Re: Disabling passwords in the cloud On 6/8/17 9:38 AM, Brent Kimberley wrote: Does sshd need to be recompiled - in order to completely disable password authentication? I would like to reduce the number of false positives in /var/log/secure ^.*sshd.*: Invalid user .* from .*$ ^.*sshd.*: reverse mapping checking getaddrinfo for .* failed - POSSIBLE BREAK-IN ATTEMPT!$ ^.* sshd.*: input_userauth_request: invalid user .*$ In theory, should be able to disable ChallengeResponseAuthentication and PasswordAuthentication, then call it a day. Never actually tried, though. THIS MESSAGE IS FOR THE USE OF THE INTENDED RECIPIENT(S) ONLY AND MAY CONTAIN INFORMATION THAT IS PRIVILEGED, PROPRIETARY, CONFIDENTIAL, AND/OR EXEMPT FROM DISCLOSURE UNDER ANY RELEVANT PRIVACY LEGISLATION. No rights to any privilege have been waived. If you are not the intended recipient, you are hereby notified that any review, retransmission, dissemination, distribution, copying, conversion to hard copy, taking of action in reliance on or other use of this communication is strictly prohibited. If you are not the intended recipient and have received this message in error, please notify me by return e-mail and delete or destroy all copies of this message. _______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
