On Sun, 10 May 2009 23:00:23 Lars Müller wrote:
On Sun, May 10, 2009 at 09:55:14PM +0930, Rodney Baker wrote: [ 8y ]
You must make sure you have the following options set in /etc/ssh/sshd_config:
PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no ChallengeResponseAuthentication no
2 times NO.
Both are defaults.
And since version 2 is used by default I no longer have to touch any of the openssh config files to get this working.
I'm taking about openSUSE 11.1 here.
That might be true for 11.1 - my experience detailed above was true for 10.3 and 11.0 (I will probably skip 11.1 and wait for 11.2 or 11.3 since I can see no reason to upgrade at the moment).
Without PasswordAuthentication set to no, I found that even though pubkey was set to yes and everything else was correct it still prompted for a password.
Unfortunately I have to say a third tine NO. ;)
I'm not saying this is wrong or stupid. Disabeling password based auth might increase the level of security. Just having these distributed dictionary based password attacks in mind.
Lars
Whilst I value your knowledge, Lars, my experience on 10.3 at least (which is the version I was running when I first set it up) was that I had to disable password authentication to get it to use pubkey authentication. I've had the same experience setting up 3 different 10.3 systems. I kept the same configuration when I upgraded to 11.0 so I can't say what the default functionality is on 11.0. Regardless, I know that with the above options set my system accepts pubkey authentication and will not accept password or keyboard-interactive authentication attempts. IMHO this *does* make it more secure, since the only way to log on via ssh is to have access to the DSA key. YMMV. Regards, -- =================================================== Rodney Baker VK5ZTV rodney.baker@iinet.net.au ===================================================