The following change to sshd's default security setting is very likely to cut off ssh access to less advanced users. --- /etc/ssh/sshd_config 2005-05-05 13:41:24.000000000 -0500 +++ /etc/ssh/._cfg0000_sshd_config 2005-05-29 14:25:36.000000000 -0500 @@ -53,7 +53,7 @@ #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! -PasswordAuthentication yes +PasswordAuthentication no #PermitEmptyPasswords no I know that denying password auth is the right thing to do. However, if you don't know really how to manage ssh keys, or simply didn't get around to it before accepting this config update, you may find your ssh to a server in a remote data center cut off without being properly prepared. This happened to me once months ago, and now I watch config updates in openssh like a hawk to avoid repeating the mistake. If "PasswordAuthentication yes" is so risky that it can't be allowed by default, please come up with some mechanism to prevent the user from mistakenly accepting it without having sufficiently prepared ssh keys. Perhaps a USE var or a compile-time check for the necessary ssh keys. Thanks. Reproducible: Always Steps to Reproduce:
completing summary title.
Well, actually you are wrong. Users will be still allowed to login using password authentication b/c UsePAM yes overrides this.
if you're using PAM, then the default setting is to disable password auth but enable pam .. if you're not using PAM, then the default is to enable password auth but disable pam