Hacker News new | past | comments | ask | show | jobs | submit login

A correct sshd_config includes:

    PasswordAuthentication no



You can also use https://tinyssh.org instead of the sshd from OpenSSH. It only implements key based authentication and newer encryption algorithms. It's available on Ubuntu:

    sudo apt install tinyssh
    wget https://github.com/yourusername.keys -O ~/.ssh/authorized_keys 
    sudo systemctl enable tinysshd.socket
but it's not widely used, which makes using it risky. To my knowledge there hasn't been a formal audit. Also it doesn't implement the scp protocol, but you can use rscync over ssh

    alias scp="rsync -e ssh --progress"


> Also it doesn't implement the scp protocol

From the FAQ[1]:

> TinySSH doesn’t have problem with scp protocol, only doesn’t have scp program.

I assume this means an OpenSSH `scp` command will work just fine when pointed at a tinyssh daemon, without the rsync alias.

[1]: https://tinyssh.org/faq.html


TIL TinySSH exists.

Immediate pro: Public domain / CC0

Immediate potential-con: Doesn't implement compression


+1. But just to be sure: that does not prevent testing for usernames and hence enumerating software by testing for known/common service account usernames (e.g. "_tor" on OpenBSD and "debian-tor" on Debian-based OSs). (No claim was made to the contrary; just mentioning this to prevent anyone from thinking otherwise.)


To disable logging in with password you also need:

  ChallengeResponseAuthentication no


I got a chill up my spine when I read this but fortunately it looks like this is the default on Ubuntu 16.04 and 18.04 (at least).


Apparently Debian disabled it in 2005:

  openssh (1:4.1p1-1) experimental; urgency=low
  
    […]
    * Disable ChallengeResponseAuthentication in new installations, returning
      to PasswordAuthentication by default, since it now supports PAM and
      apparently works better with a non-threaded sshd (closes: #247521).
    […]
  
   -- Colin Watson <cjwatson@debian.org>  Tue, 31 May 2005 01:33:33 +0100
https://bugs.debian.org/247521


for a longer explanation see https://blog.tankywoo.com/linux/2013/09/14/ssh-passwordauthe...

Though, if you're using TOTP via a PAM module, you'll want it




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: