SSH password vs public key auth in 3.8.8

[randalbankman]

Greetings,

So, I noticed this: http://secunia.com/advisories/44993/ and upgraded to 3.8.8. However, it's not clear to me how exactly to specify through the admin interface or config files the use of public key authentication *only*.

Is it as simple as adding a pub key path per user per domain and unchecking the 'enable password' box on each user's config?

Or is there a global config option to keep the SSH response from appearing to include both authentication mechanisms, password and publickey?

Thanks!

[FTP]

Yes, you are right! Just add a pub key path per user per domain and unchecking the 'enable password' box on each user's config

[randalbankman]

Yes, you are right! Just add a pub key path per user per domain and unchecking the 'enable password' box on each user's config

Ok, I need a quick sanity check then. If the 'enable password' box is unchecked and no public key is put in place yet ... then it appears one can just login with no credentials (?).

Seems it will prompt for a password, even with 'enable password' unchecked, but if you just send a newline ... it logs you right in! The effect being that even if you do put a public key in place ... one could still login w/o a password.

Is this correct?

[randalbankman]

Nevermind ... I follow now. With pubkey in place, password auth can be offered, but does not complete. So, all is well I believe.

Yes, you are right! Just add a pub key path per user per domain and unchecking the 'enable password' box on each user's config

Ok, I need a quick sanity check then. If the 'enable password' box is unchecked and no public key is put in place yet ... then it appears one can just login with no credentials (?).

Seems it will prompt for a password, even with 'enable password' unchecked, but if you just send a newline ... it logs you right in! The effect being that even if you do put a public key in place ... one could still login w/o a password.

Is this correct?