a simple questions about sshd and PasswordAuthentication
Is there anything inherintaly dangerous or wrong about enabling PasswordAuthentication in sshd_config ? I understand how public keys are better and everything else. And I do use them. I'm just curious. Jeff. -- Unless otherwise indicated, anything I write is either garnered from experience or pulled out of my ass, depending on situational needs.. Jeff MacDonald ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: a simple questions about sshd and PasswordAuthentication
On 10/25/06, Jeff MacDonald [EMAIL PROTECTED] wrote: Is there anything inherintaly dangerous or wrong about enabling PasswordAuthentication in sshd_config ? I understand how public keys are better and everything else. And I do use them. I'm just curious. Probably not, if you have strong passwords and sensible management policies. That said, PasswordAuthentication attracts the brute-force crackers like flies to rotting meat, so... -- Juha http://www.geekzone.co.nz/juha ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: a simple questions about sshd and PasswordAuthentication
--- Juha Saarinen [EMAIL PROTECTED] wrote: On 10/25/06, Jeff MacDonald [EMAIL PROTECTED] wrote: Is there anything inherintaly dangerous or wrong about enabling PasswordAuthentication in sshd_config ? I understand how public keys are better and everything else. And I do use them. I'm just curious. Probably not, if you have strong passwords and sensible management policies. That said, PasswordAuthentication attracts the brute-force crackers like flies to rotting meat, so... Password authentication in combination with running sshd on a non-standard port is what I use. No problem there. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: a simple questions about sshd and PasswordAuthentication
On 10/24/06, Jeff MacDonald [EMAIL PROTECTED] wrote: Is there anything inherintaly dangerous or wrong about enabling PasswordAuthentication in sshd_config ? I understand how public keys are better and everything else. And I do use them. I'm just curious. There are many arguments for and against, but /inherintaly/ they are the same. You are comparing your secret to the secret stored on the server. Keys just tend to be much longer secrets, and are also more difficult to change. -- -- Perfection is just a word I use occasionally with mustard. --Atom Powers-- ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: a simple questions about sshd and PasswordAuthentication
On Tuesday 24 October 2006 21:54, Atom Powers wrote: On 10/24/06, Jeff MacDonald [EMAIL PROTECTED] wrote: Is there anything inherintaly dangerous or wrong about enabling PasswordAuthentication in sshd_config ? I understand how public keys are better and everything else. And I do use them. I'm just curious. There are many arguments for and against, but /inherintaly/ they are the same. You are comparing your secret to the secret stored on the server. Keys just tend to be much longer secrets, and are also more difficult to change. I don't know about that. With password authentication someone has to guess a valid username and password. With key authentication someone has to guess a valid username, key, and passphrase. While I have boxes that experience thousands of password based brute force attempts a day I don't recall anyone ever bothering to try and brute-force a key. My personal opionion is that if you are using key-based authentication you are for all practical purposes invulnerable to brute-forcing. The only way someone is going to get in is via an exploit in ssh or by stealing the key and passphrase from a valid user. -- Thanks, Josh Paetzel ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: a simple questions about sshd and PasswordAuthentication
On Tuesday 24 October 2006 21:49, Juha Saarinen wrote: On 10/25/06, Jeff MacDonald [EMAIL PROTECTED] wrote: Is there anything inherintaly dangerous or wrong about enabling PasswordAuthentication in sshd_config ? I understand how public keys are better and everything else. And I do use them. I'm just curious. Probably not, if you have strong passwords and sensible management policies. That said, PasswordAuthentication attracts the brute-force crackers like flies to rotting meat, so... agreed. 3 weeks ago, i just firewalled off the port (actually, removed the nat), and now require vpn to gain access to my home network. i was repeatedly having pages and pages long nightly security emails of failed ssh attempts. not any more. if the port aint there... they cant bruteforce it! cheers, jonathan ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: sshd and passwordauthentication
debug1: Sent encrypted session key. debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Doing challenge reponse authentication. Password: Response: These last two lines are part of the ChallengeResponseAuthentication method, which (I think) uses one-time passwords. You can skip through this by hitting Enter, when the server should accept your client key and log you in. To disable the ChallengeResponse prompts, you need to change ChallengeResponseAuthentication to no (or add it to the config file) then restart sshd. Disabling ChallengeResponseAuthentication solved the problem! Strange, isn't it? Thanks a lot for taking the time!! Didier To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: sshd and passwordauthentication
On Dec 27 Didier Wiroth wrote: I'm using a windows client, putty where I didn't find that kind of option, here is the output of ssh -v from linux test machine: OpenSSH_2.9.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090601f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 500 geteuid 500 anon 1 debug1: Connecting to sshd.somewhere.com [sshd.somewhere.com] port 22. debug1: temporarily_use_uid: 500/100 (e=500) debug1: restore_uid debug1: temporarily_use_uid: 500/100 (e=500) debug1: restore_uid debug1: Connection established. debug1: identity file /home/user_test/.ssh/identity type -1 debug1: identity file /home/user_test/.ssh/id_rsa type -1 debug1: identity file /home/user_test/.ssh/id_dsa type -1 id_rsa and/or id_dsa exists? debug1: Remote protocol version 1.99, remote software version OpenSSH_3.4p1 FreeBSD-20020702 debug1: match: OpenSSH_3.4p1 FreeBSD-20020702 pat ^OpenSSH debug1: Local version string SSH-1.5-OpenSSH_2.9.9p2 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug1: Host 'sshd.somewhere.com' is known and matches the RSA1 host key. debug1: Found key in /home/user_test/.ssh/known_hosts:2 debug1: Encryption type: 3des debug1: Sent encrypted session key. debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Doing challenge reponse authentication. Password: Response: Does that help? [...] On Fri, Dec 27, 2002 at 04:02:52PM +0100, Didier Wiroth wrote: These are the only activated options: Protocol 2,1 ListenAddress x.y.z.x LoginGraceTime 40 PermitRootLogin no PasswordAuthentication no PermitEmptyPasswords no Subsystem sftp/usr/libexec/sftp-server Few options to experiment: RhostsRSAAuthentication yes HostbasedAuthentication yes IgnoreUserKnownHosts no UseLogin no -andrew All other options are commented with a '#'! Any clues? There is no warning in /var/log/messages! Hmmm... This looks OK to me. What output do you get if you log in to the box using `ssh -v my.host'? It should print details of protocol negotiation, authentication steps, etc. Dan To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
sshd and passwordauthentication
Hey, I'm using FreeBSD 4.7-RELEASE with sshd version OpenSSH_3.4p1 FreeBSD-20020702 I would like to use only public key authentication. I've set the PasswordAuthentication option in /etc/ssh/sshd_config to no but it doesn't work! I can still log on with passwords! Why? How do I have to change the config file to only allow public key authentication? Thanks for the help! Didier To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: sshd and passwordauthentication
On Fri, Dec 27, 2002 at 09:54:03AM +0100, Didier Wiroth wrote: Hey, I'm using FreeBSD 4.7-RELEASE with sshd version OpenSSH_3.4p1 FreeBSD-20020702 I would like to use only public key authentication. I've set the PasswordAuthentication option in /etc/ssh/sshd_config to no but it doesn't work! I can still log on with passwords! Why? How do I have to change the config file to only allow public key authentication? Did you restart sshd after editing the config file? -- Daniel Bye PGP Key: ftp://ftp.slightlystrange.org/pgpkey/dan.asc PGP Key fingerprint: 3D73 AF47 D448 C5CA 88B4 0DCF 849C 1C33 3C48 2CDC _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: sshd and passwordauthentication
Yes! ;-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Daniel Bye Sent: Friday, December 27, 2002 11:02 To: [EMAIL PROTECTED] Subject: Re: sshd and passwordauthentication On Fri, Dec 27, 2002 at 09:54:03AM +0100, Didier Wiroth wrote: Hey, I'm using FreeBSD 4.7-RELEASE with sshd version OpenSSH_3.4p1 FreeBSD-20020702 I would like to use only public key authentication. I've set the PasswordAuthentication option in /etc/ssh/sshd_config to no but it doesn't work! I can still log on with passwords! Why? How do I have to change the config file to only allow public key authentication? Did you restart sshd after editing the config file? -- Daniel Bye PGP Key: ftp://ftp.slightlystrange.org/pgpkey/dan.asc PGP Key fingerprint: 3D73 AF47 D448 C5CA 88B4 0DCF 849C 1C33 3C48 2CDC _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: sshd and passwordauthentication
These are the only activated options: Protocol 2,1 ListenAddress x.y.z.x LoginGraceTime 40 PermitRootLogin no PasswordAuthentication no PermitEmptyPasswords no Subsystem sftp/usr/libexec/sftp-server All other options are commented with a '#'! Any clues? There is no warning in /var/log/messages! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Daniel Bye Sent: Friday, December 27, 2002 11:32 To: [EMAIL PROTECTED] Subject: Re: sshd and passwordauthentication On Fri, Dec 27, 2002 at 11:02:21AM +0100, Didier Wiroth wrote: Yes! ;-) Cool. So, what does your sshd_config look like now? And did you get any warnings or errors in /var/log/messages when you restarted sshd? Maybe you could try logging in to the box using ssh's -v option - use it multiple times to increase its chattiness. Dan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Daniel Bye Sent: Friday, December 27, 2002 11:02 To: [EMAIL PROTECTED] Subject: Re: sshd and passwordauthentication On Fri, Dec 27, 2002 at 09:54:03AM +0100, Didier Wiroth wrote: Hey, I'm using FreeBSD 4.7-RELEASE with sshd version OpenSSH_3.4p1 FreeBSD-20020702 I would like to use only public key authentication. I've set the PasswordAuthentication option in /etc/ssh/sshd_config to no but it doesn't work! I can still log on with passwords! Why? How do I have to change the config file to only allow public key authentication? Did you restart sshd after editing the config file? -- Daniel Bye PGP Key: ftp://ftp.slightlystrange.org/pgpkey/dan.asc PGP Key fingerprint: 3D73 AF47 D448 C5CA 88B4 0DCF 849C 1C33 3C48 2CDC _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
Re: sshd and passwordauthentication
On Fri, Dec 27, 2002 at 04:02:52PM +0100, Didier Wiroth wrote: These are the only activated options: Protocol 2,1 ListenAddress x.y.z.x LoginGraceTime 40 PermitRootLogin no PasswordAuthentication no PermitEmptyPasswords no Subsystem sftp/usr/libexec/sftp-server All other options are commented with a '#'! Any clues? There is no warning in /var/log/messages! Hmmm... This looks OK to me. What output do you get if you log in to the box using `ssh -v my.host'? It should print details of protocol negotiation, authentication steps, etc. Dan -- Daniel Bye PGP Key: ftp://ftp.slightlystrange.org/pgpkey/dan.asc PGP Key fingerprint: 3D73 AF47 D448 C5CA 88B4 0DCF 849C 1C33 3C48 2CDC _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message
RE: sshd and passwordauthentication
I'm using a windows client, putty where I didn't find that kind of option, here is the output of ssh -v from linux test machine: OpenSSH_2.9.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090601f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 500 geteuid 500 anon 1 debug1: Connecting to sshd.somewhere.com [sshd.somewhere.com] port 22. debug1: temporarily_use_uid: 500/100 (e=500) debug1: restore_uid debug1: temporarily_use_uid: 500/100 (e=500) debug1: restore_uid debug1: Connection established. debug1: identity file /home/user_test/.ssh/identity type -1 debug1: identity file /home/user_test/.ssh/id_rsa type -1 debug1: identity file /home/user_test/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_3.4p1 FreeBSD-20020702 debug1: match: OpenSSH_3.4p1 FreeBSD-20020702 pat ^OpenSSH debug1: Local version string SSH-1.5-OpenSSH_2.9.9p2 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug1: Host 'sshd.somewhere.com' is known and matches the RSA1 host key. debug1: Found key in /home/user_test/.ssh/known_hosts:2 debug1: Encryption type: 3des debug1: Sent encrypted session key. debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Doing challenge reponse authentication. Password: Response: Does that help? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Daniel Bye Sent: Friday, December 27, 2002 17:44 To: [EMAIL PROTECTED] Subject: Re: sshd and passwordauthentication On Fri, Dec 27, 2002 at 04:02:52PM +0100, Didier Wiroth wrote: These are the only activated options: Protocol 2,1 ListenAddress x.y.z.x LoginGraceTime 40 PermitRootLogin no PasswordAuthentication no PermitEmptyPasswords no Subsystem sftp/usr/libexec/sftp-server All other options are commented with a '#'! Any clues? There is no warning in /var/log/messages! Hmmm... This looks OK to me. What output do you get if you log in to the box using `ssh -v my.host'? It should print details of protocol negotiation, authentication steps, etc. Dan -- Daniel Bye PGP Key: ftp://ftp.slightlystrange.org/pgpkey/dan.asc PGP Key fingerprint: 3D73 AF47 D448 C5CA 88B4 0DCF 849C 1C33 3C48 2CDC _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with unsubscribe freebsd-questions in the body of the message