Disable ssh password login under Tiger

Well .. to answer my own question, I believe you just need to disable ChallengeResponseAuthentication. This should still allow PAM to validate account and session settings

On 7/5/06 2:01 PM, "rross" <rrossus.ibm.com> wrote:

> Hi .. I would like to only allow ssh login through public key access (OSX
> 10.4.7), but all the hints I found was to set "PasswordAuthentication no" and
> also "UsePAM no". I would think it would be a lot safer to continue to use
> PAM, but, instead, to modify /etc/pam.d/sshd to disallow login passwords. Do
> I need to be concerned if I disable "UsePAM"? Does anyone have hints on the
> PAM modification to disallow passwords?

Why would it be safer to make it PAM's job? What would be the benefit, could
other services that use PAM also make use of SSH's public key
authentication? How does PAM handle public-key authentication, anyway? Some
quick googling brought up hits from the pam-list that weren't encouraging.

BTW, the default for UsePAM is "no" so there's no need to declare it.

The "UsePAM" option in the sshd_config file applies *only* to the ssh daemon's usage of PAM for authentication. PAM will remain available to any other application that chooses to use it for authentication.

In other words, changing those two options will accomplish exactly what you want to do, and no more.

On Jul 5, 2006, at 2:01 PM, rross wrote:

> Hi .. I would like to only allow ssh login through public key
> access (OSX 10.4.7), but all the hints I found was to set
> "PasswordAuthentication no" and also "UsePAM no". I would think it
> would be a lot safer to continue to use PAM, but, instead, to
> modify /etc/pam.d/sshd to disallow login passwords. Do I need to be
> concerned if I disable "UsePAM"? Does anyone have hints on the PAM
> modification to disallow passwords?

My inclination would be to add the line:

        PasswordAuthentication no

to /etc/sshd_config. On 10.4.7 client, UsePAM is 'no' by default; I
don't know if it's different on 10.4.7 server.

(There may be a more Mac-like way of editing those files; I'm relying
on my Unix-fu here.)

sshd supports several different means of authentication: the
relevant ones here are password, PAM, and key. By default, PAM is
disabled, and keys are preferred to passwords. If you disable
password authentication, you're then limited to keys, which is what
you want. If you don't *also* disable PAM authentication (or if you
don't leave it disabled) for sshd, you're opening yourself up to PAM
considering a password as valid authentication, which is not what you
want. Or you're in the situation where you're enabling PAM
authentication, but then telling it to not accept any authentication
as valid so that the only valid form of authentication is to use ssh
keys - you might as well just leave it off. (Or turn it off.)

Not using PAM authentication for sshd doesn't affect the use of PAM
authentication elsewhere, of course. If another component of your
system uses PAM, saying "UsePAM no" in /etc/sshd_config will not
affect that other component.

Charlton



--
Charlton Wilbur
cwilburchromatico.net

On Jul 6, 2006, at 11:35 AM, Charlton Wilbur wrote:

> If you disable password authentication, you're then limited to
> keys, which is what you want. If you don't *also* disable PAM
> authentication (or if you don't leave it disabled) for sshd, you're
> opening yourself up to PAM considering a password as valid
> authentication, which is not what you want. Or you're in the
> situation where you're enabling PAM authentication, but then
> telling it to not accept any authentication as valid so that the
> only valid form of authentication is to use ssh keys - you might as
> well just leave it off. (Or turn it off.)

I discovered awhile back that to disallow passwords completely, you
need to set both PasswordAuthentication and
ChallengeResponseAuthentication to "no". The sshd server can perform
challenge-response authentication with or without using PAM. That's
what the UsePAM option controls. Even with PasswordAuthentication set
to "no", sshd would still accept a password for authentication as
long as challenge-response is enabled, regardless of the UsePAM setting.