F22 System Wide Change: Set sshd(8) PermitRootLogin=no
Paul Wouters
paul at nohats.ca
Fri Jan 9 14:14:24 UTC 2015
On Fri, 9 Jan 2015, DJ Delorie wrote:
>>> So if we truly want to address this feature, we should also disallow
>>> non-root user password based ssh logins.
>>
>> Do I get this right? You want to disallow any remote logins (which
>> nowadays means using ssh)?
>
> No, he means that ssh connections should require a pre-shared key.
Actually, i meant keypair based authentication with ssh using
authorized_keys (which are NOT preshared keys - it is public key
authentication)
> My systems are set up that way, you can't just ssh in from anywhere, you
> can only ssh in from machines that have your private key. If you try
> to log in without a pre-shared key, it won't prompt you for your unix
> password, it will just fail.
If your public key authentication fails, it still prompts you for a
password but even if you have set a password it will reject it. This is
to prevent leaking configuration information (eg to avoid telling
attackers whether or not password based logins are allowed in the
machine)
Paul
More information about the devel
mailing list