Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.4: Disable ssh password login under Tiger System 10.4
Tiger only hintGiven the increase in scripted attacks to guess ssh passwords, I decided to disable passwords altogether, and move to public key authentication.

I edited /etc/sshd_config as follows:
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
That worked fine until one day, I tried logging into a Tiger machine from an account which lacked the required public key, and discovered I could still get in with just a password. It seems 10.4 has added another flag to disable:

# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication' and 'PermitEmptyPasswords'
UsePAM no
What is curious about UsePAM is that in the comment it says that no is the default, so it should not have been necessary to uncomment it. Yet, in my own experience, I had to explicitly disable it to prevent password authentication. Note: don't forget to restart your Remote Login after saving the changes.

[robg adds: This earlier hint (and some great associated comments) covered disabling password-based ssh access, also in light of the number of brute force attacks being seen. Interestingly, I hadn't yet redone this hint for 10.4, so I checked the log files today. My machine is still getting pounded by scripted attacks; literally hundreds per hour ... looks like it's time to re-enable the protections from these hints and comments!]
    •    
  • Currently 3.29 / 5
  You rated: 2 / 5 (7 votes cast)
 
[52,879 views]  

10.4: Disable ssh password login under Tiger | 38 comments | Create New Account
Click here to return to the '10.4: Disable ssh password login under Tiger' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: Disable ssh password login under Tiger
Authored by: kreig303 on Aug 19, '05 09:55:28AM

Is there any sort of primer whereby we can learn more about public key authentication? I am interested in making my machine available for remote login... and it would be good to apply your information towards it.



[ Reply to This | # ]
10.4: Disable ssh password login under Tiger
Authored by: wgscott on Aug 19, '05 09:59:05AM
10.4: Disable ssh password login under Tiger
Authored by: faze on Aug 19, '05 12:25:12PM

This is a great resource for setting up ssh and using public key authentication.

http://www.macdevcenter.com/pub/a/mac/2004/07/09/inside_ssh_pt1.html

They don't get into modifying the sshd_config file until part 3, but every part is worth reading



[ Reply to This | # ]
no home folder on server
Authored by: kyngchaos on Aug 19, '05 02:24:15PM

One problem I have with setting up key authentication is that I have no home folder on the server. I'm setup on Mac OS X Server (10.3) with no home. The step about adding your public key to the authorized keys on the server assumes that it goes in the user's home ssh configuration.

Is this a must? I can add a home folder setting for myself with no problem, but I wonder if this is an absolute requirement, or if there is another place ssh can get authorized keys from, like LDAP maybe?

I can see one case where having no Mac home folder on OSX Server might be common: if a user is a Windows-only user. The Windows home folder setting (profile path) is separate from the Mac home folder setting, a part of Samba configuration.



[ Reply to This | # ]
no home folder on server
Authored by: raider on Aug 22, '05 12:33:47PM

In the server's sshd configuration (SSH Server) there is a setting to change the default key location. Usually the default is ~/.ssh

If you don't have home folders that won't work, but you'll need to specify a different location, although I can't even begin to tell you how or if you can even do that with multiple users (how does it know which key file to use?)



[ Reply to This | # ]
10.4: Disable ssh password login under Tiger
Authored by: wgscott on Aug 19, '05 09:56:12AM

I put a huge dent in the script kiddie's fun with just these two precautions:

1. Put an "AllowUsers" line at the bottom of /etc/sshd_conf with only those user's names that need to log in. Then try logging in as someone else. You will see that ssh just hangs, instead of failing immediately. This makes those scripts highly inefficient, and they go elsewhere real fast.

2. Make certain root is disabled.


I worry about turning pam off.



[ Reply to This | # ]
a small correction...
Authored by: macubergeek on Aug 19, '05 02:38:11PM

correct file to edit /etc/sshd_config
and yes it hangs but after you enter the password.



[ Reply to This | # ]
What logs to check
Authored by: elmimmo on Aug 19, '05 10:30:58AM

Rob wrote:
> I checked the log files today. My machine is still getting pounded by scripted attacks

For those not in the know like me, what should be looking for in which logs in order to determine if we too are being subject of attacks?



[ Reply to This | # ]
What logs to check
Authored by: kyngchaos on Aug 19, '05 11:26:20AM

I was wondering also, but look at that old hint Rob mentioned.



[ Reply to This | # ]
What logs to check
Authored by: kyngchaos on Aug 19, '05 02:08:26PM

Ah, I was looking at my Server Mac, which is still Mac OS 10.3. It appears Tiger is different, as others are saying now.



[ Reply to This | # ]
What logs to check
Authored by: faze on Aug 19, '05 12:19:33PM

Pre-Tiger it was easy to find the ssh info in /var/log/system.log

Since installing Tiger the only way I see those messages is by adding the following line to /etc/syslog.conf

*.info /var/log/system.log

This has the side effect of doubling some other messages in the system log, but I want to see any failed/success ssh attempts, so I don't mind.

You could also check your firewall logs, but the system log method will give you some info you can't get otherwise



[ Reply to This | # ]
What logs to check
Authored by: rumirocks on Aug 19, '05 02:02:53PM
How do you get to
/etc/syslog.conf
in Terminal so that we can add the line you suggest? Sorry it's a beginner's question, but you guys who contribute to macosxhints come up with the best suggestions and newbies have to start somewhere.

[ Reply to This | # ]
What logs to check
Authored by: faze on Aug 19, '05 02:53:21PM

if your new to terminal/unix I suggest using pico to edit the file. You will have to edit it as 'superuser' so here's the command to get you into edit mode with pico:

sudo pico /etc/syslog.conf

Then add the line I mentioned before. I added it as the 3rd line in the file.
After you add the line hold down control and press x and pico will ask you if you want to save the changes. After that, I rebooted, although I am sure there is a signal you could send to syslogd to get it to reread the config, but that's up to someone else to find.



[ Reply to This | # ]
What logs to check
Authored by: mmarlett on Aug 19, '05 12:57:12PM

If you want to a simple GUI, open Console in /Applications/Utilities/ and click on the "Logs" button. Then scroll down the list to "/var/log" and select "secure.log" and see how many times today "frank" tried to log in.



[ Reply to This | # ]
What logs to check
Authored by: bhillier on Aug 19, '05 01:36:35PM

I tried to view the log files with Console, but the log is greyed out and when clicked upon I see this "===== You do not have permission to read this log file =====". How did I get the permission necessary to view the secure.log?



[ Reply to This | # ]
I am denied permission to secure.log
Authored by: rumirocks on Aug 19, '05 02:05:01PM

How do I get into "secure.log" from the console? I am currently denied permission.



[ Reply to This | # ]
I am denied permission to secure.log
Authored by: apollo75 on Dec 03, '05 08:38:09AM

I have the same problem. I am the primary user on this machine, does anyone know why one can't see their own logs?



[ Reply to This | # ]
I am denied permission to secure.log
Authored by: sjk on Dec 03, '05 10:23:01PM

The default permissions on are read/write by root:

% ls -l /var/log/secure.log
-rw------- 1 root admin 77645 Dec 3 20:00 /var/log/secure.log

Repair Disk Permissions will reset it that way if it's been changed (e.g. when the weekly script rotates the file).

Console would have to authenticate to read that file with those permissions, which it doesn't do. A traditional Unix way to monitor it is by running "sudo tail -F /var/log/secure.log" in a Terminal shell. Or prefix whatever other commands you want to use with 'sudo " to access it.



[ Reply to This | # ]
What logs to check
Authored by: MattHaffner on Aug 19, '05 01:08:45PM
Here's a quick terminal script to pull out the failed tries:

grep 'failed to authenticate' /var/log/secure.log

For example, I have an attempt that happened a few days ago and part of it looks like this:

Aug 16 20:45:54 Tyranena com.apple.SecurityServer: authinternal failed to authenticate user exiot.
Aug 16 20:45:58 Tyranena com.apple.SecurityServer: authinternal failed to authenticate user read.
Aug 16 20:46:07 Tyranena com.apple.SecurityServer: authinternal failed to authenticate user write.
Aug 16 20:46:11 Tyranena com.apple.SecurityServer: authinternal failed to authenticate user root.
Aug 16 20:46:15 Tyranena com.apple.SecurityServer: authinternal failed to authenticate user shell.
Aug 16 20:46:19 Tyranena com.apple.SecurityServer: authinternal failed to authenticate user shell.
Aug 16 20:46:23 Tyranena com.apple.SecurityServer: authinternal failed to authenticate user shell.
Aug 16 20:46:27 Tyranena com.apple.SecurityServer: authinternal failed to authenticate user buffer.
Aug 16 20:46:31 Tyranena com.apple.SecurityServer: authinternal failed to authenticate user firebird.
Aug 16 20:46:35 Tyranena com.apple.SecurityServer: authinternal failed to authenticate user amd.
Aug 16 20:46:38 Tyranena com.apple.SecurityServer: authinternal failed to authenticate user xp.
Aug 16 20:46:42 Tyranena com.apple.SecurityServer: authinternal failed to authenticate user service.


[ Reply to This | # ]
What logs to check
Authored by: Aet on Aug 20, '05 10:25:02AM

Same problem with permissions as noted above, but a sudo fixes that.



[ Reply to This | # ]
10.4: Disable ssh password login under Tiger
Authored by: fungus on Aug 19, '05 12:00:56PM

ssh usually has 3 forms of authentication (including Tiger).
1. public key authentication
2. keyboard-interactive
3. password

This tip only disables #3.
#4 keyboard-interactive aka ChallengeResponseAuthentication can accept a few different types, including one time use passwords (s/key), and PAM.
disabling PAM doesn't disable keyboard-interactive auth, just the use of passwords in this form. s/key is still available. If you don't use, or know what s/key authentication is, you can safely disable ChallengeResponseAuthentication altogether.

The comment about using AllowUsers or AllowGroups is very useful if you must have password authentication enabled and want to restrict ssh usage to specific users.

Note: disabling UsePAM in sshd_config only disables logging in with user/password in ssh. It does not disable PAM completely, and will not interfere or damage anything else.



[ Reply to This | # ]
10.4: Disable ssh password login under Tiger
Authored by: vykor on Aug 19, '05 02:44:12PM

What's the advantage to ChallengeResponse and PAM as opposed to plain old password authentication in SSH? It seems that these are both password-level authentication schemes. Seems a bit redundant for the same level of security (or lack thereof).



[ Reply to This | # ]
10.4: Disable ssh password login under Tiger
Authored by: faze on Aug 19, '05 12:44:27PM

I can't reproduce the problem you have with ssh accepting password unless you uncomment the PAM line. I am curious if anyone else has ever witnessed this? I have been using public key authentication for ssh access to my mac and, at first, this post worried me a bit, but I don't see any problem with my config after testing.



[ Reply to This | # ]
Other Options?
Authored by: lullabud on Aug 19, '05 01:04:18PM

I have a 867mhz laptop, so when people are hacking at the door of my sshd it really grinds my CPU, leading to heat and eventually the fan turning on, leading to me having to disable sshd for some amount of time to stop the attack. There has got to be a better way...

Ideally, I'd like a way to either lock out connections from a certain IP# that fails too many times so that sshd simply drops all packets from that IP#. Another option would be to add an incremental delay period for each failed login...

Speaking of delays, is there a way to add a delay to the authentication process? I'm assuming the CPU consumption is caused by the mathematics behind the encryption. A delay in the authentication would keep the CPU usage down, as well as just make it longer for the perp to get the work done and this might be a simpler process than other options.

I'm also open to more active ways of slowing down or denying these attacks while leaving sshd enabled.



[ Reply to This | # ]
Other Options?
Authored by: derekhed on Aug 19, '05 01:19:11PM

I have not tried this personally, but you could look into changing your MaxStartups value in the sshd_config file on your machine. Do a 'man sshd_config' and look for that parameter.



[ Reply to This | # ]
What process is signaling this?
Authored by: hamarkus on Aug 19, '05 02:44:41PM

Which process is doing the ssh stuff? In other words, how do I see it when people are pounching at my door? I often have the processes 'sh', 'pmTool', 'kerneltask' taking up a lot of cycles (10% to 20%), I attribute some of these to Matlab, which might use these processes, or VirtualPC as well.



[ Reply to This | # ]
Monitoring and Delays
Authored by: lullabud on Aug 19, '05 03:06:13PM

I've actually never paid attention to what process is doing the authentication, and frankly I'm not too sure about OS X's `top` binary, but I keep an eye on my network meter for systematic looking patterns and my CPU meter for consistent CPU usage when my system should be idling. If something looks fishy I `tail -f /var/log/system.log`. (That's also handy when used with /var/log/httpd/access_log when people are hacking your webserver.)

Also, while testing to see which process would be hogging the CPU, I noticed this in the system log:

Failed Authentication return is being delayed due to over five recent auth failures for username: foo.

I wonder if there's a variable I can change to lengthen that delay....



[ Reply to This | # ]
What process is signaling this?
Authored by: vykor on Aug 19, '05 05:22:07PM

For every ssh connection, there should be a correspondingly forked sshd instance to handle it. So the list in top or ps, look for the sshd instances.



[ Reply to This | # ]
Other Options? DenyHosts
Authored by: vortmax on Aug 19, '05 06:18:56PM

http://denyhosts.sourceforge.net/

This a python sccript that you can cron as root. It checks the access logs and for those hits from script kiddies, it will add to the /etc/hosts.deny file the offending IP.

Careful if you fail your own login passwordd. You could deny your valid ip.

vortmax



[ Reply to This | # ]
10.4: Disable ssh password login under Tiger
Authored by: hagbard on Aug 19, '05 04:08:12PM

I went from dozens of attacks to zero with a very simple change :
use a different port for sshd. Instead of port 22, use a port > 32768, (and < 65535). Most scripts are hardcoded for port 22, and don't try to sniff the ssh port first.
I remember that I had to look around a bit in order to change that, something like modifying /etc/services and inside /etc/xinetd.d/
I really thought that there was a hint about that already. If people ask, I'll post a complete hint on that topic !



[ Reply to This | # ]
10.4: Disable ssh password login under Tiger
Authored by: squawky on Aug 19, '05 05:44:18PM
I'm not so sure about changing the port -- the logs on my G5 at work showed repeated attempts to ssh using random ports as well as random usernames. Even if the script used the wrong port, the syslog still recorded hundreds of attempts to ssh in.

The only solution I could come up with was to use tcpwrappers: deny ssh access to any IP that is not part of the domain at work, or part of the domain my ISP uses. That reduced the hundreds attempts to the occasional "sshd access denied to (random ip)" note. (Plus the strong passwords and disabled root access, etc. etc.)

Not the best solution, since I have to ssh into a work machine and then into the G5 if I'm away from home (to edit the /etc/hosts.allow file, at the very least) -- but it seems to work.

[ Reply to This | # ]

10.4: Disable ssh password login under Tiger
Authored by: twangster on Aug 19, '05 06:16:42PM

hey hagbard,

i see a port setting in the sshd_config "#Port 22". wondering if i can just change it here? i just went through my secure.log, it it gets pounded daily. i had no idea! damn script kiddies.



[ Reply to This | # ]
changing the port number
Authored by: xcgr on Aug 19, '05 08:33:46PM

I changed my SSH service to a non-standard port for several months ago. It cut the unwanted login attempts down to zero, since most malware scripts only probe port 22. Obviously this is security by obscurity, and it shouldn't be your primary means of defense. But it does reduce the attack surface, as well as the noise level in the log files.

How to change the sshd port depends on your Mac OS X version. These earlier hints have the details:

10.3: Changing the default SSH server port
10.4: Change the default sshd port

I didn't see a hint for 10.2, but I believe you do it simply by uncommenting and changing the "Port" directive in /private/etc/sshd_config. Then restart the service. For more info, type "man sshd_config" in Terminal.



[ Reply to This | # ]
changing the port number
Authored by: dtungsten on Oct 21, '05 07:31:07PM

I didn't see a hint for 10.2, but I believe you do it simply by uncommenting and changing the "Port" directive in /private/etc/sshd_config. Then restart the service.

Yes, that works (you have to have admin privileges to edit that file, of course).



[ Reply to This | # ]
10.4: Disable ssh password login under Tiger
Authored by: Alex Yeh on Sep 03, '05 05:26:07AM

you could get rid of the necessity of having to enter those aliases with each new login by including them in your .profile file. This is very easy with TextWrangler, which is freeware. Simply select "open hidden..." and check the box that lets you edit *any* file, then go to your home directory, and open the .profile hidden file. Add your aliases, and they will "stick," even after logging out and back in again.



[ Reply to This | # ]
10.4: Disable ssh password login under Tiger
Authored by: legacyb4 on Oct 02, '05 06:32:46PM
Enable:

ChallengeResponseAuthentication no

and things should work...

[ Reply to This | # ]

10.4: Disable ssh password login under Tiger
Authored by: richardl on Jul 04, '06 07:45:57PM

Instead of sshd not using the PAM exit, does anyone know how to modify /etc/pam.d/sshd to deny lthe ogin via password?



[ Reply to This | # ]
10.4: Disable ssh password login under Tiger
Authored by: richardl on Jul 05, '06 08:32:12AM

Well .. to answer my own question, I believe you just need to set:

ChallengeResponseAuthentication no



[ Reply to This | # ]