Spike in SSH attacks
Benjamin Scott
dragonhawk at gmail.com
Mon Jun 21 12:12:28 EDT 2010
On Mon, Jun 21, 2010 at 10:04 AM, Ted Roche <tedroche at gmail.com> wrote:
>> Apparently attackers are going after "keyboard interactive"
>> authentication, which is separate from "password authentication".
>>
>
> So, even if I have set PasswordAuthentication no in my sshd_config,
> there's still a way to ssh into the server without a key pair? That's
> confusing.
The OpenSSH server has a built-in password prompt/input system, but
it can also farm that job out to PAM or other suitable technologies.
There are other ways to use a keyboard for authentication than
standard Unix passwords, so this isn't just complexity.
One-time-passwords and two-factor things like those RSA SecurID tokens
both require user input, for example.
It's a good idea to explicitly disable any authentication methods
you're not using.
-- Ben
More information about the gnhlug-discuss
mailing list