anil.recoil.org / thicket-eeg
Thicket data repository for the EEG
fork atom
thicket-eeg / mte / 2025_08_08_ssl-password.json
at main 3.1 kB view raw
1{ 2 "id": "https://www.tunbury.org/2025/08/08/ssl-password", 3 "title": "SSL Password Authentication", 4 "link": "https://www.tunbury.org/2025/08/08/ssl-password/", 5 "updated": "2025-08-08T00:00:00", 6 "published": "2025-08-08T00:00:00", 7 "summary": "Would you like the maintainer’s version of the file or the local one? It’s one of those questions during apt upgrade that you answer on autopilot. Normally, it’s local every time. Sometimes, the changes look mundane, and you take the maintainer’s. I did that today on /etc/ssh/sshd_config, but it made me pause and check whether password authentication had been inadvertently turned back on.", 8 "content": "<p>Would you like the maintainer’s version of the file or the local one? It’s one of those questions during <code>apt upgrade</code> that you answer on autopilot. Normally, it’s <em>local</em> every time. Sometimes, the changes look mundane, and you take the <em>maintainer’s</em>. I did that today on <code>/etc/ssh/sshd_config</code>, but it made me pause and check whether password authentication had been inadvertently turned back on.</p>\n\n<p>I could check the defaults for <code>sshd</code> and look at the values set in <code>/etc/ssh/sshd_config</code> and any files in <code>/etc/ssh/ssh_config.d</code>, but it would surely be easier to try to log in remotely using a password by turning off public key authentication.</p>\n\n<div><div><pre><code>~<span>$ </span>ssh <span>-o</span> <span>PreferredAuthentications</span><span>=</span>password <span>-o</span> <span>PubkeyAuthentication</span><span>=</span>no username@hostname\nusername@hostname: Permission denied <span>(</span>publickey<span>)</span><span>.</span>\n</code></pre></div></div>\n\n<p>That machine looks secure. What about other machines? I have an Ansible inventory <em>hosts</em> file, and an extensive history in my <code>~/.ssh/known_hosts</code>. I need an automated tool to check everything! <a href=\"https://github.com/mtelvers/ssh-security-checker\">mtelvers/ssh-security-checker</a> is that tool!</p>\n\n<div><div><pre><code><span>$ </span>dune <span>exec</span> <span>--</span> ssh-security-checker ./hosts\nTesting SSH password authentication security <span>for </span>9 hosts...\n\nTesting host1... ❌ NETWORK UNREACHABLE\nTesting host2... ✅ SECURE <span>(</span>password auth disabled<span>)</span>\nTesting host3... 🔑 HOST KEY CHANGED <span>(</span>security warning!<span>)</span>\nTesting host4... ❌ NETWORK UNREACHABLE\nTesting host5... ✅ SECURE <span>(</span>password auth disabled<span>)</span>\nTesting host6... ✅ SECURE <span>(</span>password auth disabled<span>)</span>\nTesting host7... ✅ SECURE <span>(</span>password auth disabled<span>)</span>\nTesting host8... ⚠️ WARNING: PASSWORD AUTH ENABLED!\nTesting host9... ✅ SECURE <span>(</span>password auth disabled<span>)</span>\n</code></pre></div></div>", 9 "content_type": "html", 10 "author": { 11 "name": "Mark Elvers", 12 "email": "mark.elvers@tunbury.org", 13 "uri": null 14 }, 15 "categories": [ 16 "ocaml,ssh", 17 "tunbury.org" 18 ], 19 "source": "https://www.tunbury.org/atom.xml" 20}