Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Click here to return to the '10.4: Disable ssh password login under Tiger' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.4: Disable ssh password login under Tiger
Authored by: fungus on Aug 19, '05 12:00:56PM

ssh usually has 3 forms of authentication (including Tiger).
1. public key authentication
2. keyboard-interactive
3. password

This tip only disables #3.
#4 keyboard-interactive aka ChallengeResponseAuthentication can accept a few different types, including one time use passwords (s/key), and PAM.
disabling PAM doesn't disable keyboard-interactive auth, just the use of passwords in this form. s/key is still available. If you don't use, or know what s/key authentication is, you can safely disable ChallengeResponseAuthentication altogether.

The comment about using AllowUsers or AllowGroups is very useful if you must have password authentication enabled and want to restrict ssh usage to specific users.

Note: disabling UsePAM in sshd_config only disables logging in with user/password in ssh. It does not disable PAM completely, and will not interfere or damage anything else.

[ Reply to This | # ]
10.4: Disable ssh password login under Tiger
Authored by: vykor on Aug 19, '05 02:44:12PM

What's the advantage to ChallengeResponse and PAM as opposed to plain old password authentication in SSH? It seems that these are both password-level authentication schemes. Seems a bit redundant for the same level of security (or lack thereof).

[ Reply to This | # ]