If you allow users to log into sensitive servers by providing passwords, you are tempting fate. Users and Passwords are a notoriously bad combination: passwords are weak and/or reused for several purposes. Exposing user passwords over
SSH is not quite like leaving the key under the doormat, but I think it is a bad idea anyway.
Public key authentication and
SSH are a perfect team: it provides a kind of two-factor authentication (assuming that the users keyfile is encrypted with a strong password) is trivial to set up.
The default installation of
OpenSSH allows plain password logins, (non public key) challenge response authentication and sometimes GSSApi (Kerberos) authentication. The best way to find out if your system is ,,vulnerable’’ is to
ssh into it with the
-v flag set:
In my case I want to get rid of all of them except
/etc/ssh/sshd_config and make sure that the following options are set:
Save the file, restart
svcadm restart ssh) and test.