Re: Repeated attacks via SSH

From: Bob Johnson (fbsdlists_at_gmail.com)
Date: 10/03/05

  • Next message: Fernan Aguero: "Re: Repeated attacks via SSH" 
    Date: Mon, 3 Oct 2005 09:51:00 -0400
To: mario <mario-dated-1128750963.989ae6@schmut.com>

    On 10/3/05, mario <mario@schmut.com> wrote:
    > So, Jared Hall wrote:
    > > Is there a way to block root login over 22?
    > > Jared
    > > ______________________
    >
    > yep
    >
    > [root@snoopy ~]#grep Root /etc/ssh/sshd_config
    > PermitRootLogin no

    This is not sufficient if ssh is using PAM for authentication (because
    PAM will allow root logins). Make sure you also have disabled PAM
    authentication with

    ChallengeResponseAuthentication no

    I think both of these settings default to "no" these days, but you
    might want to check your config to be sure.

    - Bob
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: Fernan Aguero: "Re: Repeated attacks via SSH"

    Relevant Pages

    • Re: Securing SSH: Does disabling password authentication work?
      ... keyboard-interactive with pam (would allow auth against LDAP or any ... other authentication method possible with pam) ... public/private keys ... I edited my ssh config file to disable the first method, ...
      (Debian-User)
    • Re: Confusion on SSH and PAM
      ... asked because an authentication failure is not a fatal error. ... When authenticating an SSH session, a list of mutually supported methods ... I have keys setup for root to login, but instead of letting me in with those keys, SSHD ignores them, passes me to PAM for password prompting and the denies me out! ...
      (freebsd-questions)
    • Re: Disable SSH authentication
      ... we can use two ways to login to remote machine: ... My question is that can we disable the SSH authentication so that we don't need to either provide user account or the public key? ... If you really, really, really wanted to do this, you could do it via pam, using UsePAM yes in sshd_config and then set the pam for ssh to accept without checking for any passwords. ...
      (SSH)
    • Re: ssh + kerberos
      ... RB> Anyone have any experience in granting tickets to users upon login ... RB> using pam in a kerberos environment? ... SSH can do this by itself, using either ticket-based or password ... authentication with UsePAM set, and the pam_krb5 module in the PAM stack ...
      (comp.security.ssh)
    • Re: Permission denied (publickey,keyboard-interactive).
      ... Authentication should be directed to the PAM Agent software. ... I'm a bit rusty on SSH and PAM, but where do you set Password- ...
      (comp.unix.aix)