Ubuntu

Disabling password authentication by default?

Asked by Andrew Sayers on 2008-05-07

A recent discussion in ubuntu-devel-discuss turned to the question of whether password authentication should be enabled in the default configuration. The case against doing so is that brute-forcing SSH passwords is becoming a common way of attacking a system. This is backed up with actual evidence, available at: http://monitor.sclab.clarkson.edu/thesis.doc

Would you consider disabling password authentication in the default configuration, and if not, to what degree can we rely on OpenSSH not to disable passwords in the foreseeable future, when developing solutions based on SSH?

The thread in question is visible online at https://lists.ubuntu.com/archives/ubuntu-devel-discuss/2008-May/004078.html - discussions about passwords crop up in several of the later posts.

Question information

Language:
English Edit question
Status:
Expired
For:
Ubuntu openssh Edit question
Assignee:
No assignee Edit question
Last query:
2008-05-08
Last reply:
2008-05-23
Olivier (olivier-lacroix) said : #1

Hi !

I am myself using the package denyhosts, which blacklists ip after a given number of failed ssh login. Pretty useful. It is enough for me, and avoid my logs to be flooded with some "root" or "john" failed login :-)

I don't know if that answer your question though...

With respect, the problem isn't whether SSH can be made secure, but whether it's secure out of the box. As Ubuntu rises in popularity, it's increasingly important to have idiot-proof default settings.

I've only looked briefly at denyhosts*, but it looks like a fine solution for people that don't mind a little administrative overhead. As the above paper discusses, attackers are quite happy to spread a brute force attempt out over days or weeks, so denyhosts-type solutions are only effective if they block addresses permanently. That's fine for users that deliberately install the package, but we'd have all the same problems that spam blacklists have if we installed it by default.

* I'm still holding out for iptables supporting the TARPIT target in the mainline kernel >:)

Launchpad Janitor (janitor) said : #3

This question was expired because it remained in the 'Open' state without activity for the last 15 days.