F22 System Wide Change: Set sshd(8) PermitRootLogin=no

Fri Jan 9 14:51:17 UTC 2015

Am 09.01.2015 um 15:32 schrieb Alexander Ploumistos:
> On Fri, Jan 9, 2015 at 4:14 PM, Paul Wouters wrote:
>
>         My systems are set up that way, you can't just ssh in from
>         anywhere, you
>         can only ssh in from machines that have your private key.  If
>         you try
>         to log in without a pre-shared key, it won't prompt you for your
>         unix
>         password, it will just fail.
>
>     If your public key authentication fails, it still prompts you for a
>     password but even if you have set a password it will reject it. This is
>     to prevent leaking configuration information (eg to avoid telling
>     attackers whether or not password based logins are allowed in the
>     machine)
>
> I got a little confused here. I also have my server systems set up to
> only use keys. Is it possible to have that along with a "dummy" password
> prompt that always fails? If yes, which directives in sshd configuration
> accomplish that?

you achieve nothing than cluttered logs from continued dictionary 
attacks with such a setup even if it would be possible and that has the 
security implication burry interesting lines in noise

with the response like below a smart zombie would just stop

[root at rawhide ~]# ssh root at local.rhsoft.net
Permission denied (publickey).
[root at rawhide ~]#

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150109/2f312fcc/attachment.sig>