[Watford] SSH Questions

Mark Stewart markwstewart at gmail.com
Tue Sep 16 11:11:33 UTC 2008


thanks for the info, PermitEmptyPasswords doesn't apply to keys, just to
password authentication. I'm using MS AD+PAM+ssh to-do the user/password
login. It's those darn Keys that are making it unsecure. I think this is a
feature of OpenSSH.

-Mark

2008/9/16 Neel Upadhyaya <bahulneel at gmail.com>

> In your /etc/ssh/sshd_config set:
> PermitEmptyLogins no
> TCPKeepAlive no
>
> This will stop empty passwds and terminate idle sessions.  In terms of
> preventing agents, I'm not sure but you can prevent agent forwarding in the
> client [/etc/ssh/ssh_config] but setting:
> ForwardAgent no
>
>
> 2008/9/16 Mark Stewart <markwstewart at gmail.com>
>
>> thanks Alain - your document is a useful faq but I'm looking at a policy
>> to prevent DBA's etc so they don't use passwordless keys or leave ssh-agent
>> running or other ssh bad practices. Users can create keys anywhere and I'm
>> powerless to stop how they create them.
>>
>> If a hacker got hold of password less keys they would control servers at
>> ease.
>>
>> I can't see options for sshd that lets your prevent you accepting
>> passwordless keys or find any commercial/open software that does this with
>> OpenSSH.
>>
>> Any advice appreciated.
>>
>> 2008/9/16 Alain Williams <addw at phcomp.co.uk>
>>
>>> On Tue, Sep 16, 2008 at 10:12:47AM +0100, Mark Stewart wrote:
>>> > Hi Everyone,
>>> >
>>> > Does anyone know how to prevent the use of passwordless ssh keys? I
>>> want to
>>> > prevent users authenticating without a password.
>>> >
>>> > In fact if anyone know of any ssh policing tools/faqs that would be
>>> really
>>> > usefull. I find it simple securing a server, but when you have 100's of
>>> > linux desktops I'm unsure on the best way to stop users leaving
>>> ssh-agent
>>> > running all the time or using passwordless keys.
>>> >
>>> > Discussion/advise appreciated.
>>>
>>> I have had a write up about this for some years:
>>>
>>>
>>> http://www.phcomp.co.uk/TechTutorial/HOWTOs/ssh_passwordless_login.php
>>>
>>> Comments/suggestions gratefully received.
>>>
>>> --
>>> Alain Williams
>>> Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT
>>> Lecturer.
>>> +44 (0) 787 668 0256  http://www.phcomp.co.uk/
>>> Parliament Hill Computers Ltd. Registration Information:
>>> http://www.phcomp.co.uk/contact.php
>>> Chairman of UKUUG: http://www.ukuug.org/
>>> #include <http://www.ukuug.org/#include> <std_disclaimer.h>
>>>
>>> _______________________________________________
>>> Watford mailing list
>>> Watford at mailman.lug.org.uk
>>> https://mailman.lug.org.uk/mailman/listinfo/watford
>>>
>>
>>
>> _______________________________________________
>> Watford mailing list
>> Watford at mailman.lug.org.uk
>> https://mailman.lug.org.uk/mailman/listinfo/watford
>>
>>
>
>
> --
> MCSE is to computers as McDonalds Certified Chef is to fine cuisine.
>
> _______________________________________________
> Watford mailing list
> Watford at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/watford
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.lug.org.uk/pipermail/watford/attachments/20080916/f7b38de6/attachment-0001.htm 


More information about the Watford mailing list