Quote:
Originally Posted by Oko
This is really not that serious. First off one should not allow password authentication to the Internet facing ports to begin with, only PermitRootLogin without-password. Some BSD systems like DragonFly BSD ship with such default. Even if one would allow password login the first problem is guessing username as nobody normal (Linux people are not normal) allows root login with password anyway.
Besides one should use the combination of PF built in ssh brute force attack prevention and sshguard, possibly even adding fail2ban for more complex setups.
|
Some services might need password authentication though, e.g. a free shell service. I use public key authentication connecting to these but only after uploading my public key using password authentication. The person running the sshd up there can't turn off PasswordAuthentication unless he's willing to gather and deploy keys in some way I'm unfamiliar with.
But this problem affects Challenge Response in combination with KbdInteractiveAuthentication, and PAM must be involved it seems. I suspect you're referring to "password authentication" in a generic sense not the specific subsystems here, but the article implies that systems with sshd_config having PasswordAuthentication still have the desired login attempt limits. You need to be using this other subsystem, which I'd never heard of before and don't really understand but was disappointed to find enabled by default on my Slackware system. But Slackware doesn't use PAM so it's supposed not to be vulnerable (thank you Pat for not enabling PAM yet).