neuhalfen.name

A random collection of posts

OpenSolaris SSH: Only Allow Public-Key Authentication

Permalink

The problem

If you allow users to log into sensitive servers by providing passwords, you are tempting fate. Users and Passwords are a notoriously bad combination: passwords are weak and/or reused for several purposes. Exposing user passwords over SSH is not quite like leaving the key under the doormat, but I think it is a bad idea anyway.

Public key authentication and SSH are a perfect team: it provides a kind of two-factor authentication (assuming that the users keyfile is encrypted with a strong password) is trivial to set up.

Password-Authentication

The default installation of OpenSSH allows plain password logins, (non public key) challenge response authentication and sometimes GSSApi (Kerberos) authentication. The best way to find out if your system is ,,vulnerable’’ is to ssh into it with the -v flag set:

# ssh -v host
...
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive
...

In my case I want to get rid of all of them except publickey.

Solution

Edit /etc/ssh/sshd_config and make sure that the following options are set:

# Ensure secure permissions on users .ssh directory.
StrictModes yes
# ...
PasswordAuthentication no
ChallengeResponseAuthentication no
# Solaris 11 does no longer respect ChallengeResponseAuthentication. Use KbdInteractiveAuthentication instead
KbdInteractiveAuthentication no
GSSAPIAuthentication no
PubkeyAuthentication yes
# ...

Save the file, restart sshd (svcadm restart ssh) and test.

Comments