OpenSSH and clear text passwords

March 9, 2008


Usually people use SSH as a replacement for rsh, which is of course a good thing. SSH uses encryption to transport your password to the remote server for authentication.

But SSH can do more, you can use a public/private key pair and set it up in such a way (google around for howto’s), that SSH will only transport a public key over the Internet. This way no passwords are transported, so even if someone breaks the encryption, no harm is done. Well… at least your private key is still safe (for now).

naive solution

In /etc/ssh/sshd_config there are 2 keywords that must be configured to turn this behavior on: PasswordAuthentication and UsePAM.

The incorrect way to configure this is to use the following config snippet:

PasswordAuthentication no
UsePAM no

This will give you the desired result, but also has a side effect: it disables PAM. PAM is used for more than password checking, it also sets up your account and can configure other stuff. So disabling it is not a wise thing to do.

right solution The following snippet is the correct config for sshd_config:

PasswordAuthentication no
UsePAM yes

Now, we only need to configure PAM (This is under Debian/Linux). In /etc/pam.d/ssh it says

# Standard Un*x authentication.
@include common-auth

This piece of code will ask for you password, which is now handled in ssh itself by means of the key-exchange. So it can be disabled, but a better way is the following.

a new pam.d/ssh Create a common-deny, with the following content:

# /etc/pam.d/common-deny - always deny
auth    required

And in /etc/pam.d/ssh change

# Standard Un*x authentication.
@include common-auth


# Standard Un*x authentication.
# always deny
@include common-deny


Now sshd uses a secure key exchange for authentication, it still uses PAM and PAM is configured in such a way that password authentication for sshd always fails.