Hi,
I too have been bitten by this. Having set
PasswordAuthentication no
in /etc/sshd_config on sid, it took me several months
(until I accidentally deleted my authorized_keys file)
to realise that password authentication was still possible.
The sshd and sshd_config man pages do not explain that it
is necessary to set
PasswordAuthentication no
and at least one of:
ChallengeResponseAuthentication no
UsePAM no
to disable password-based authentication completely.
I guess there are plenty of other Debian users running
systems with weak passwords, unaware that they may be
vulnerable because their ssh setup is weaker than they
thought.
Better documentation would help here, preferably in
/etc/sshd_config.
Matthew
--
******************************************************************
Matthew Foulkes
Department of Physics phone: (020) 7594 7607
Imperial College London fax: (020) 7594 7604
Prince Consort Road email: [EMAIL PROTECTED]
London SW7 2BW www: www.imperial.ac.uk/research/cmth
******************************************************************
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
