Greetings,
So, I noticed this: http://secunia.com/advisories/44993/" rel="nofollow and upgraded to 3.8.8. However, it's not clear to me how exactly to specify through the admin interface or config files the use of public key authentication *only*.
Is it as simple as adding a pub key path per user per domain and unchecking the 'enable password' box on each user's config?
Or is there a global config option to keep the SSH response from appearing to include both authentication mechanisms, password and publickey?
Thanks!
SSH password vs public key auth in 3.8.8
-
- Posts: 3
- Joined: Fri Jul 22, 2011 12:02 pm
-
- Site Admin
- Posts: 2083
- Joined: Tue Sep 29, 2009 6:09 am
Re: SSH password vs public key auth in 3.8.8
Yes, you are right! Just add a pub key path per user per domain and unchecking the 'enable password' box on each user's config
-
- Posts: 3
- Joined: Fri Jul 22, 2011 12:02 pm
Re: SSH password vs public key auth in 3.8.8
Ok, I need a quick sanity check then. If the 'enable password' box is unchecked and no public key is put in place yet ... then it appears one can just login with no credentials (?).FTP wrote:Yes, you are right! Just add a pub key path per user per domain and unchecking the 'enable password' box on each user's config
Seems it will prompt for a password, even with 'enable password' unchecked, but if you just send a newline ... it logs you right in! The effect being that even if you do put a public key in place ... one could still login w/o a password.
Is this correct?
-
- Posts: 3
- Joined: Fri Jul 22, 2011 12:02 pm
Re: SSH password vs public key auth in 3.8.8
Nevermind ... I follow now. With pubkey in place, password auth can be offered, but does not complete. So, all is well I believe.
randalbankman wrote:Ok, I need a quick sanity check then. If the 'enable password' box is unchecked and no public key is put in place yet ... then it appears one can just login with no credentials (?).FTP wrote:Yes, you are right! Just add a pub key path per user per domain and unchecking the 'enable password' box on each user's config
Seems it will prompt for a password, even with 'enable password' unchecked, but if you just send a newline ... it logs you right in! The effect being that even if you do put a public key in place ... one could still login w/o a password.
Is this correct?