Ask Ubuntu Asked by Sandu Ursu on October 31, 2021
After setting up SSH key-based authentication, people are advised to disable SSH password authentication.
This is done by navigating to /etc/ssh/sshd_config
and making sure that the following line is not commented out:
PasswordAuthentication no
Some tutorials, e.g.
recommend also setting
UsePAM no
After doing that, I have noticed that I no longer get session notifications from the host. For example when I want to shutdown/reboot it, the terminal hangs and I no longer get:
Connection to 192.168.0.3 closed by remote host.
Connection to 192.168.0.3 closed.
I have read here that one should "probably want to keep it on". Furthermore it may actually help you get safer.
Questions:
UsePAM no
contribute to security?UsePAM
?I copy past the comment in the default confiugration file
Set this to 'yes' to enable PAM authentication, account processing, and session processing. If this is enabled, PAM authentication will be allowed through the ChallengeResponseAuthentication and PasswordAuthentication. Depending on your PAM configuration, PAM authentication via ChallengeResponseAuthentication may bypass the setting of "PermitRootLogin without-password". If you just want the PAM account and session checks to run without PAM authentication, then enable this but set PasswordAuthentication and ChallengeResponseAuthentication to 'no'.
for those reason disabling only PasswordAuthentication and ChallengeResponseAuthentication let pam to be setup to handle account and session staff I copy past what those modules type are meant for
account
this module type performs non-authentication based account management. It is typically used to restrict/permit access to a service based on the time of day, currently available system resources (maximum number of users) or perhaps the location of the applicant user -- 'root' login only on the console.
session
this module type is associated with doing things that need to be done for the user before/after they can be given service. Such things include the logging of information concerning the opening/closing of some data exchange with a user, mounting directories, etc.
you could check the pamd configuration file in etc/pam.conf etc/pam.d/* and doucle check what modules do. Furthermore the connection termination message does not seem to be related to pam configuration... it's sent by sshd specifically in clientloop.c function client_loop
/*
* In interactive mode (with pseudo tty) display a message indicating
* that the connection has been closed.
*/
if (have_pty && options.log_level != SYSLOG_LEVEL_QUIET) {
if ((r = sshbuf_putf(stderr_buffer,
"Connection to %.64s closed.rn", host)) != 0)
fatal("%s: buffer error: %s", __func__, ssh_err(r));
}
in my case it prints that message no matter the value of UsePAM.
Answered by fusillator on October 31, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP