SSH password vs public key auth in 3.8.8

Please post here if you have problems in using Wing FTP Server.

SSH password vs public key auth in 3.8.8

Postby randalbankman » Fri Jul 22, 2011 12:06 pm

Greetings,

So, I noticed this: http://secunia.com/advisories/44993/ and upgraded to 3.8.8. However, it's not clear to me how exactly to specify through the admin interface or config files the use of public key authentication *only*.

Is it as simple as adding a pub key path per user per domain and unchecking the 'enable password' box on each user's config?

Or is there a global config option to keep the SSH response from appearing to include both authentication mechanisms, password and publickey?

Thanks!
randalbankman
 
posts 3
 
joined Fri Jul 22, 2011 12:02 pm

Re: SSH password vs public key auth in 3.8.8

Postby FTP » Fri Jul 22, 2011 12:50 pm

Yes, you are right! Just add a pub key path per user per domain and unchecking the 'enable password' box on each user's config
FTP
Site Admin
 
posts 1232
 
joined Tue Sep 29, 2009 6:09 am

Re: SSH password vs public key auth in 3.8.8

Postby randalbankman » Fri Jul 22, 2011 1:16 pm

FTP wrote:Yes, you are right! Just add a pub key path per user per domain and unchecking the 'enable password' box on each user's config


Ok, I need a quick sanity check then. If the 'enable password' box is unchecked and no public key is put in place yet ... then it appears one can just login with no credentials (?).

Seems it will prompt for a password, even with 'enable password' unchecked, but if you just send a newline ... it logs you right in! The effect being that even if you do put a public key in place ... one could still login w/o a password.

Is this correct?
randalbankman
 
posts 3
 
joined Fri Jul 22, 2011 12:02 pm

Re: SSH password vs public key auth in 3.8.8

Postby randalbankman » Fri Jul 22, 2011 1:23 pm

Nevermind ... I follow now. With pubkey in place, password auth can be offered, but does not complete. So, all is well I believe.

randalbankman wrote:
FTP wrote:Yes, you are right! Just add a pub key path per user per domain and unchecking the 'enable password' box on each user's config


Ok, I need a quick sanity check then. If the 'enable password' box is unchecked and no public key is put in place yet ... then it appears one can just login with no credentials (?).

Seems it will prompt for a password, even with 'enable password' unchecked, but if you just send a newline ... it logs you right in! The effect being that even if you do put a public key in place ... one could still login w/o a password.

Is this correct?
randalbankman
 
posts 3
 
joined Fri Jul 22, 2011 12:02 pm


Return to Support

Who is online

Users browsing this forum: No registered users and 5 guests