Utility to scan for unpassworded SSH privkeys?

Phil Pennock phil.pennock at globnix.org
Tue May 28 16:22:03 EST 2013


On 2013-05-28 at 00:00 -0400, Nico Kadel-Garcia wrote:
> > I prefer git these days, but do miss the Kerberised access.  If I were
> > going to invest time in setting it up, I'd add OpenSSH on a non-standard
> > port, configure a ForceCommand in the system-wide sshd_config for that
> > sshd and then enable Kerberos an auth mechanism for that.  Add a
> 
> I'd be really fascinated to see this work. It's not clear to me that
> this actually forces people to use Kerberos tickets rather than
> handling a locally stored palintext password in Subversion's
> UNIX/Linux clients as currently occurs by default.

Disable the authentication methods that take a password on the wire and
instead require GSSAPI-based authentication, then use the normal
Kerberos-based GSSAPI providers (MIT, Heimdal) which rely upon tickets
and do not support passwords in the GSSAPI exchange.

GSSAPIAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
KbdInteractiveAuthentication no
AuthenticationMethods gssapi-with-mic   # assuming very recent OpenSSH

Checking sshd_config.0 from 6.2p1, ChallengeResponseAuthentication is
not available in a Match conditional block, but my understanding is that
with the new AuthenticationMethods option that shouldn't matter, since
you can use it instead.

(Also, KbdInteractiveAuthentication appears to only be documented by its
 presence in the Match documentation, but does still exist in source?)

-Phil


More information about the openssh-unix-dev mailing list