Page 1 of 1

SSH password vs public key auth in 3.8.8

Posted: Fri Jul 22, 2011 12:06 pm
by randalbankman
Greetings,

So, I noticed this: http://secunia.com/advisories/44993/" rel="nofollow and upgraded to 3.8.8. However, it's not clear to me how exactly to specify through the admin interface or config files the use of public key authentication *only*.

Is it as simple as adding a pub key path per user per domain and unchecking the 'enable password' box on each user's config?

Or is there a global config option to keep the SSH response from appearing to include both authentication mechanisms, password and publickey?

Thanks!

Re: SSH password vs public key auth in 3.8.8

Posted: Fri Jul 22, 2011 12:50 pm
by FTP
Yes, you are right! Just add a pub key path per user per domain and unchecking the 'enable password' box on each user's config

Re: SSH password vs public key auth in 3.8.8

Posted: Fri Jul 22, 2011 1:16 pm
by randalbankman
FTP wrote:Yes, you are right! Just add a pub key path per user per domain and unchecking the 'enable password' box on each user's config
Ok, I need a quick sanity check then. If the 'enable password' box is unchecked and no public key is put in place yet ... then it appears one can just login with no credentials (?).

Seems it will prompt for a password, even with 'enable password' unchecked, but if you just send a newline ... it logs you right in! The effect being that even if you do put a public key in place ... one could still login w/o a password.

Is this correct?

Re: SSH password vs public key auth in 3.8.8

Posted: Fri Jul 22, 2011 1:23 pm
by randalbankman
Nevermind ... I follow now. With pubkey in place, password auth can be offered, but does not complete. So, all is well I believe.
randalbankman wrote:
FTP wrote:Yes, you are right! Just add a pub key path per user per domain and unchecking the 'enable password' box on each user's config
Ok, I need a quick sanity check then. If the 'enable password' box is unchecked and no public key is put in place yet ... then it appears one can just login with no credentials (?).

Seems it will prompt for a password, even with 'enable password' unchecked, but if you just send a newline ... it logs you right in! The effect being that even if you do put a public key in place ... one could still login w/o a password.

Is this correct?