<div dir="ltr">In your /etc/ssh/sshd_config set:<br>PermitEmptyLogins no<br>TCPKeepAlive no<br><br>This will stop empty passwds and terminate idle sessions. In terms of preventing agents, I'm not sure but you can prevent agent forwarding in the client [/etc/ssh/ssh_config] but setting:<br>
ForwardAgent no<br><br><br><div class="gmail_quote">2008/9/16 Mark Stewart <span dir="ltr"><<a href="mailto:markwstewart@gmail.com">markwstewart@gmail.com</a>></span><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div dir="ltr"><p>thanks Alain - your document is a useful faq but I'm looking at a policy to prevent DBA's etc so they don't use passwordless keys or leave ssh-agent running or other ssh bad practices. Users can create keys anywhere and I'm powerless to stop how they create them.<br>
</p><p>If a hacker got hold of password less keys they would control servers at ease.</p><p>I can't see options for sshd that lets your prevent you accepting passwordless keys or find any commercial/open software that does this with OpenSSH. </p>
<p>Any advice appreciated.</p><br><div class="gmail_quote"><div class="Ih2E3d">2008/9/16 Alain Williams <span dir="ltr"><<a href="mailto:addw@phcomp.co.uk" target="_blank">addw@phcomp.co.uk</a>></span><br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><div>On Tue, Sep 16, 2008 at 10:12:47AM +0100, Mark Stewart wrote:<div><div></div><div class="Wj3C7c"><br>
> Hi Everyone,<br>
><br>
> Does anyone know how to prevent the use of passwordless ssh keys? I want to<br>
> prevent users authenticating without a password.<br>
><br>
> In fact if anyone know of any ssh policing tools/faqs that would be really<br>
> usefull. I find it simple securing a server, but when you have 100's of<br>
> linux desktops I'm unsure on the best way to stop users leaving ssh-agent<br>
> running all the time or using passwordless keys.<br>
><br>
> Discussion/advise appreciated.<br>
<br>
</div></div></div></div><div><div></div><div class="Wj3C7c">I have had a write up about this for some years:<br>
<br>
<a href="http://www.phcomp.co.uk/TechTutorial/HOWTOs/ssh_passwordless_login.php" target="_blank">http://www.phcomp.co.uk/TechTutorial/HOWTOs/ssh_passwordless_login.php</a><br>
<br>
Comments/suggestions gratefully received.<br>
<br>
--<br>
Alain Williams<br>
Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.<br>
+44 (0) 787 668 0256 <a href="http://www.phcomp.co.uk/" target="_blank">http://www.phcomp.co.uk/</a><br>
Parliament Hill Computers Ltd. Registration Information: <a href="http://www.phcomp.co.uk/contact.php" target="_blank">http://www.phcomp.co.uk/contact.php</a><br>
Chairman of UKUUG: <a href="http://www.ukuug.org/#include" target="_blank">http://www.ukuug.org/<br>
#include</a> <std_disclaimer.h><br>
<br>
_______________________________________________<br>
Watford mailing list<br>
<a href="mailto:Watford@mailman.lug.org.uk" target="_blank">Watford@mailman.lug.org.uk</a><br>
<a href="https://mailman.lug.org.uk/mailman/listinfo/watford" target="_blank">https://mailman.lug.org.uk/mailman/listinfo/watford</a><br>
</div></div></blockquote></div><br></div>
<br>_______________________________________________<br>
Watford mailing list<br>
<a href="mailto:Watford@mailman.lug.org.uk">Watford@mailman.lug.org.uk</a><br>
<a href="https://mailman.lug.org.uk/mailman/listinfo/watford" target="_blank">https://mailman.lug.org.uk/mailman/listinfo/watford</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>MCSE is to computers as McDonalds Certified Chef is to fine cuisine.<br>
</div>