07-15-2008, 02:39 PM
|
 Re: Preventing Auto-Login
c writes:
> Folks,
>
> We have some devious developers that use ssh between two Solaris
> servers.
>
> They run ssh-keygen -t rsa etc etc and set up their auto login between
> the two servers.
>
> Is there a setting in /etc/ssh/sshd_config that I can change to ALWAYS
> ask for a password and prevent ssh from using public/private key
> authentication ?
>
> We'd ideally like to be able to rotate the passwords after the
> developers leave and not leave this potiental for a back door into our
> systems. Disabling ssh is not an option as we ( root users ) use it
> all the time..
>
> Bit new to this so please bear with me.
You are attempting to implement a technical control on a people issue,
and actually may end up making things less secure in the process. :-)
The good news is that these developers aren't weakening your security,
more than likely.
Key based auth is actually more secure than password auth as it
resists brute force attacks much better. If you've checked log files
for any sshd on the internet, you know that brute force attacks are
out there in force!
I believe your primary concern should instead be sure that these
developers have protected their private keys with a passphrase that's
not trivially broken, and that their keys are not world readable
(though I'm not sure if openssh will even use such keys).
This brings up the interesting question of whether there are tools to
audit those.
By the way, I work on a hgihly secured system for a client, and that
one WONT't allow anything but key based auth. Password based auth is
disabled by administrative choice. Key based auth is where it's
at.
--
Todd H.
http://www.toddh.net/
 |