A random collection of posts

OpenSolaris SSH: Only Allow Public-Key Authentication


The problem

If you allow users to log into sensitive servers by providing passwords, you are tempting fate. Users and Passwords are a notoriously bad combination: passwords are weak and/or reused for several purposes. Exposing user passwords over SSH is not quite like leaving the key under the doormat, but I think it is a bad idea anyway.

Public key authentication and SSH are a perfect team: it provides a kind of two-factor authentication (assuming that the users keyfile is encrypted with a strong password) is trivial to set up.


The default installation of OpenSSH allows plain password logins, (non public key) challenge response authentication and sometimes GSSApi (Kerberos) authentication. The best way to find out if your system is ,,vulnerable’’ is to ssh into it with the -v flag set:

# ssh -v host
debug1: Authentications that can continue: gssapi-keyex,gssapi-with-mic,publickey,password,keyboard-interactive

In my case I want to get rid of all of them except publickey.


Edit /etc/ssh/sshd_config and make sure that the following options are set:

# Ensure secure permissions on users .ssh directory.
StrictModes yes
# ...
PasswordAuthentication no
ChallengeResponseAuthentication no
# Solaris 11 does no longer respect ChallengeResponseAuthentication. Use KbdInteractiveAuthentication instead
KbdInteractiveAuthentication no
GSSAPIAuthentication no
PubkeyAuthentication yes
# ...

Save the file, restart sshd (svcadm restart ssh) and test.