<div dir="ltr"><p>thanks for the info, PermitEmptyPasswords doesn't apply to keys, just to password authentication. I'm using MS AD+PAM+ssh to-do the user/password login. It's those darn Keys that are making it unsecure. I think this is a feature of OpenSSH.</p>
<p>-Mark<br></p><br><div class="gmail_quote">2008/9/16 Neel Upadhyaya <span dir="ltr"><<a href="mailto:bahulneel@gmail.com">bahulneel@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div dir="ltr">In your /etc/ssh/sshd_config set:<br>PermitEmptyLogins no<br>TCPKeepAlive no<br><br>This will stop empty passwds and terminate idle sessions. In terms of preventing agents, I'm not sure but you can prevent agent forwarding in the client [/etc/ssh/ssh_config] but setting:<br>
ForwardAgent no<br><br><br><div class="gmail_quote">2008/9/16 Mark Stewart <span dir="ltr"><<a href="mailto:markwstewart@gmail.com" target="_blank">markwstewart@gmail.com</a>></span><div><div class="Wj3C7c"><br><blockquote class="gmail_quote" style="border-left:1px solid rgb(204, 204, 204);margin:0pt 0pt 0pt 0.8ex;padding-left:1ex">
<div dir="ltr"><p>thanks Alain - your document is a useful faq but I'm looking at a policy to prevent DBA's etc so they don't use passwordless keys or leave ssh-agent running or other ssh bad practices. Users can create keys anywhere and I'm powerless to stop how they create them.<br>
</p><p>If a hacker got hold of password less keys they would control servers at ease.</p><p>I can't see options for sshd that lets your prevent you accepting passwordless keys or find any commercial/open software that does this with OpenSSH. </p>
<p>Any advice appreciated.</p><br><div class="gmail_quote"><div>2008/9/16 Alain Williams <span dir="ltr"><<a href="mailto:addw@phcomp.co.uk" target="_blank">addw@phcomp.co.uk</a>></span><br></div><blockquote class="gmail_quote" style="border-left:1px solid rgb(204, 204, 204);margin:0pt 0pt 0pt 0.8ex;padding-left:1ex">
<div><div>On Tue, Sep 16, 2008 at 10:12:47AM +0100, Mark Stewart wrote:<div><div><br>
> Hi Everyone,<br>
><br>
> Does anyone know how to prevent the use of passwordless ssh keys? I want to<br>
> prevent users authenticating without a password.<br>
><br>
> In fact if anyone know of any ssh policing tools/faqs that would be really<br>
> usefull. I find it simple securing a server, but when you have 100's of<br>
> linux desktops I'm unsure on the best way to stop users leaving ssh-agent<br>
> running all the time or using passwordless keys.<br>
><br>
> Discussion/advise appreciated.<br>
<br>
</div></div></div></div><div><div>I have had a write up about this for some years:<br>
<br>
<a href="http://www.phcomp.co.uk/TechTutorial/HOWTOs/ssh_passwordless_login.php" target="_blank">http://www.phcomp.co.uk/TechTutorial/HOWTOs/ssh_passwordless_login.php</a><br>
<br>
Comments/suggestions gratefully received.<br>
<br>
--<br>
Alain Williams<br>
Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.<br>
+44 (0) 787 668 0256 <a href="http://www.phcomp.co.uk/" target="_blank">http://www.phcomp.co.uk/</a><br>
Parliament Hill Computers Ltd. Registration Information: <a href="http://www.phcomp.co.uk/contact.php" target="_blank">http://www.phcomp.co.uk/contact.php</a><br>
Chairman of UKUUG: <a href="http://www.ukuug.org/#include" target="_blank">http://www.ukuug.org/<br>
#include</a> <std_disclaimer.h><br>
<br>
_______________________________________________<br>
Watford mailing list<br>
<a href="mailto:Watford@mailman.lug.org.uk" target="_blank">Watford@mailman.lug.org.uk</a><br>
<a href="https://mailman.lug.org.uk/mailman/listinfo/watford" target="_blank">https://mailman.lug.org.uk/mailman/listinfo/watford</a><br>
</div></div></blockquote></div><br></div>
<br>_______________________________________________<br>
Watford mailing list<br>
<a href="mailto:Watford@mailman.lug.org.uk" target="_blank">Watford@mailman.lug.org.uk</a><br>
<a href="https://mailman.lug.org.uk/mailman/listinfo/watford" target="_blank">https://mailman.lug.org.uk/mailman/listinfo/watford</a><br>
<br></blockquote></div></div></div><br><br clear="all"><div class="Ih2E3d"><br>-- <br>MCSE is to computers as McDonalds Certified Chef is to fine cuisine.<br>
</div></div>
<br>_______________________________________________<br>
Watford mailing list<br>
<a href="mailto:Watford@mailman.lug.org.uk">Watford@mailman.lug.org.uk</a><br>
<a href="https://mailman.lug.org.uk/mailman/listinfo/watford" target="_blank">https://mailman.lug.org.uk/mailman/listinfo/watford</a><br>
<br></blockquote></div><br></div>