<div dir="ltr"><p>thanks for the info, PermitEmptyPasswords doesn&#39;t apply to keys, just to password authentication. I&#39;m using MS AD+PAM+ssh to-do the user/password login. It&#39;s those darn Keys that are making it unsecure. I think this is a feature of OpenSSH.</p>
<p>-Mark<br></p><br><div class="gmail_quote">2008/9/16 Neel Upadhyaya <span dir="ltr">&lt;<a href="mailto:bahulneel@gmail.com">bahulneel@gmail.com</a>&gt;</span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div dir="ltr">In your /etc/ssh/sshd_config set:<br>PermitEmptyLogins no<br>TCPKeepAlive no<br><br>This will stop empty passwds and terminate idle sessions.&nbsp; In terms of preventing agents, I&#39;m not sure but you can prevent agent forwarding in the client [/etc/ssh/ssh_config] but setting:<br>

ForwardAgent no<br><br><br><div class="gmail_quote">2008/9/16 Mark Stewart <span dir="ltr">&lt;<a href="mailto:markwstewart@gmail.com" target="_blank">markwstewart@gmail.com</a>&gt;</span><div><div class="Wj3C7c"><br><blockquote class="gmail_quote" style="border-left:1px solid rgb(204, 204, 204);margin:0pt 0pt 0pt 0.8ex;padding-left:1ex">

<div dir="ltr"><p>thanks Alain - your document is a useful faq but I&#39;m looking at a policy to prevent DBA&#39;s etc so they don&#39;t use passwordless keys or leave ssh-agent running or other ssh bad practices. Users can create keys anywhere and I&#39;m powerless to stop how they create them.<br>


</p><p>If a hacker got hold of password less keys they would control servers at ease.</p><p>I can&#39;t see options for sshd that lets your prevent you accepting passwordless keys or find any commercial/open software that does this with OpenSSH.&nbsp;</p>


<p>Any advice appreciated.</p><br><div class="gmail_quote"><div>2008/9/16 Alain Williams <span dir="ltr">&lt;<a href="mailto:addw@phcomp.co.uk" target="_blank">addw@phcomp.co.uk</a>&gt;</span><br></div><blockquote class="gmail_quote" style="border-left:1px solid rgb(204, 204, 204);margin:0pt 0pt 0pt 0.8ex;padding-left:1ex">


<div><div>On Tue, Sep 16, 2008 at 10:12:47AM +0100, Mark Stewart wrote:<div><div><br>
&gt; Hi Everyone,<br>
&gt;<br>
&gt; Does anyone know how to prevent the use of passwordless ssh keys? I want to<br>
&gt; prevent users authenticating without a password.<br>
&gt;<br>
&gt; In fact if anyone know of any ssh policing tools/faqs that would be really<br>
&gt; usefull. I find it simple securing a server, but when you have 100&#39;s of<br>
&gt; linux desktops I&#39;m unsure on the best way to stop users leaving ssh-agent<br>
&gt; running all the time or using passwordless keys.<br>
&gt;<br>
&gt; Discussion/advise appreciated.<br>
<br>
</div></div></div></div><div><div>I have had a write up about this for some years:<br>
<br>
 &nbsp; &nbsp; &nbsp; &nbsp;<a href="http://www.phcomp.co.uk/TechTutorial/HOWTOs/ssh_passwordless_login.php" target="_blank">http://www.phcomp.co.uk/TechTutorial/HOWTOs/ssh_passwordless_login.php</a><br>
<br>
Comments/suggestions gratefully received.<br>
<br>
--<br>
Alain Williams<br>
Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.<br>
+44 (0) 787 668 0256 &nbsp;<a href="http://www.phcomp.co.uk/" target="_blank">http://www.phcomp.co.uk/</a><br>
Parliament Hill Computers Ltd. Registration Information: <a href="http://www.phcomp.co.uk/contact.php" target="_blank">http://www.phcomp.co.uk/contact.php</a><br>
Chairman of UKUUG: <a href="http://www.ukuug.org/#include" target="_blank">http://www.ukuug.org/<br>
#include</a> &lt;std_disclaimer.h&gt;<br>
<br>
_______________________________________________<br>
Watford mailing list<br>
<a href="mailto:Watford@mailman.lug.org.uk" target="_blank">Watford@mailman.lug.org.uk</a><br>
<a href="https://mailman.lug.org.uk/mailman/listinfo/watford" target="_blank">https://mailman.lug.org.uk/mailman/listinfo/watford</a><br>
</div></div></blockquote></div><br></div>
<br>_______________________________________________<br>
Watford mailing list<br>
<a href="mailto:Watford@mailman.lug.org.uk" target="_blank">Watford@mailman.lug.org.uk</a><br>
<a href="https://mailman.lug.org.uk/mailman/listinfo/watford" target="_blank">https://mailman.lug.org.uk/mailman/listinfo/watford</a><br>
<br></blockquote></div></div></div><br><br clear="all"><div class="Ih2E3d"><br>-- <br>MCSE is to computers as McDonalds Certified Chef is to fine cuisine.<br>
</div></div>
<br>_______________________________________________<br>
Watford mailing list<br>
<a href="mailto:Watford@mailman.lug.org.uk">Watford@mailman.lug.org.uk</a><br>
<a href="https://mailman.lug.org.uk/mailman/listinfo/watford" target="_blank">https://mailman.lug.org.uk/mailman/listinfo/watford</a><br>
<br></blockquote></div><br></div>