Re: Password auth turned off in OpenSSH

From: C. Linus Hicks (lhicks_at_nc.rr.com)
Date: 10/14/04

  • Next message: Darren Tucker: "Re: [SPAM] cross-compilation failing" 
    To: Darren Tucker <dtucker@zip.com.au>
Date: 14 Oct 2004 01:28:08 -0400

    On Thu, 2004-10-14 at 00:54, Darren Tucker wrote:
    > C. Linus Hicks wrote:
    > > Okay, so here's a typical protocol 2 connection attempt, and it does
    > > show the "Unrecognized authentication method name" message:
    > [...]
    > > Several other attempts where made in succession for other users
    > > including guest, admin (2 times), user, root (3 times), test (again),
    > > nobody, patrick (2 times), and 2 more times for root. Several hours
    > > later, someone tried to connect with putty. Notice that this one does
    > > show "Password authentication disabled" but not the "Unrecognized
    > > authentication method name":
    >
    > That's a SSHv1 connection and the message comes from protocol 1 code.
    > (Older versions of PuTTY would default to protocol 1 if both were
    > available).
    >
    > > The information in my log files show that password authentication is not
    > > being allowed, however, I am noticing that PAM is getting started, yet
    > > it seems clear to me that there's no need to start it at all. Do I have
    > > any cause for concern over that?
    >
    > No, PAM is still needed in case where there is a successful non-password
    > authentication (eg for the "account" and "session" stacks).

    Okay, cool. Then I feel comfortable that I am reasonably secure, AND I
    plan to upgrade to the latest version soon. So the only thing that could
    possibly gain access to my system through ssh would be a brute force
    public key attack? 

    -- 
C. Linus Hicks <lhicks@nc.rr.com>
  • Next message: Darren Tucker: "Re: [SPAM] cross-compilation failing"