Passwords
Password authentication is the basic method of authentication for SSH. SSH servers support authentication for both Windows and Unix platforms. SSH servers on Unix platforms have two methods for password authentication:
■■ /etc/passwd or /etc/shadow
be noted that password authentication is enabled by default on most, if not all, SSH servers. However, it is important to know how to disable/enable pass- word authentication in order to possibly disable it in favor of stronger authen- tication, such as public-key authentication.
To enable password authentication, the process is quite simple. For a SSH server installation on a Unix environment, there exists a configuration file called sshd2_config (Commercial SSH) and sshd_config (OpenSSH). Both con- figuration files are quite similar. Sshd_config is usually located in /etc/ssh, and sshd2_config is located /etc/sshd2. Enter the following command to show the contents of the OpenSSH configuration file:
#cd /etc/ssh #more sshd_config
An abbreviated portion of the output is listed as follows:
# Authentication: #LoginGraceTime 600 #PermitRootLogin yes #StrictModes yes
# To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes
#PermitEmptyPasswords no
Under the Authentication section, denoted by #Authentication, many set- tings are given that can be used for the SSH server. The option you are most concerned with is the PasswordAuthentication setting. This setting needs to be set to Yes in order for password authentication to be valid, which is the default. Furthermore, if password authentication should be disabled in favor of other authentication methods, this setting should be set to No and uncommented, which means deleting the # from the beginning of the line. An example follows:
# To disable tunneled clear text passwords, change to no here! PasswordAuthentication no
# AllowedAuthentications publickey,password # AllowedAuthentications hostbased,publickey,password # AllowedAuthentications hostbased,publickey,keyboard- # RequiredAuthentications publickey,password # LoginGraceTime 600 # AuthInteractiveFailureTimeout 2
Under the Authentication section, denoted by ##Authentication, are many settings that can be set for the SSH server. The option you are most concerned with is the AllowedAuthentications setting. This setting by default accepts both password and public keys. In order for password authentication to be valid, password must be written on this line, even though that is the default setting. Furthermore, if password authentication is not required or desired, simply remove password from all the AllowedAuthentications lines, which disables the use of passwords for authentication. As with OpenSSH, be sure to uncomment the line, which means deleting the # at the beginning. Refer to the following example to disable password for authentication:
## Authentication
## publickey and password allowed by default
AllowedAuthentications publickey # AllowedAuthentications hostbased,publickey,password # AllowedAuthentications hostbased,publickey,keyboard- # RequiredAuthentications publickey,password # LoginGraceTime 600 # AuthInteractiveFailureTimeout 2
The process of enabling password authentication on Windows-based oper- ating systems is equally simple; however, the process is different for OpenSSH than Commercial SSH or VanDyke’s VShell SSH server. For OpenSSH installa- tions on Windows environments, there exists a configuration file called sshd_config located at Program Files\OpenSSH\ssh\. Enter the following commands to show the contents of the OpenSSH configuration file:
C:\cd “Program Files”\OpenSSH\ssh\ C:\type sshd_config
tion is enabled by default. In order to disable the use of password, no must be present. The following example disables password authentication:
PermitRootLogin yes PasswordAuthentication no
Enabling password authentication with VanDyke Software’s VShell is also quite easy. Using the configuration tool (Start ➪Programs ➪VShell ➪VShell), there is an Authentication section for the Authentication options. Under the Authentication section, you will see many options that can be set. One of the options is Required authentication methods. Under this option are two check- boxes: one for Password and one for Public Key. Simply click the checkbox for Password and hit the Apply button in the lower right-hand corner. Password authentication has now been enabled for all SSH users on the server. If pass- word authentication is not required or desired, simply uncheck the Password checkbox and select the Public Key checkbox, which means public-key config- uration must take place (discussed in the following section). Figure 4.3 shows VShell’s Authentication menu.
Figure 4.4 User Authentication section for SSH Communications SSH Server.
Similarly, enabling password authentication for SSH Communications’ SSH server on Windows platforms is quite easy. Using the configuration menu (Start ➪ Programs ➪ SSH Secure Shell Server ➪ Configuration), there is a User Authentication section for the Authentication options. Under the User Authentication section, you will see many options that can be set. One of the options is Password authentication. Under this option are three choices in the drop-down menu. In order to permit password authentication, simply set the drop-down menu to Allow and select Apply on the lower-half of the menu. Password authentication has now been enabled for all SSH users on the server. If password authentication is not required or desired, simply select Deny from the drop-down menu and hit Apply. Be sure to configure public-key configuration in order for authentication to occur (discussed in the following section). Figure 4.4 shows the SSH User Authentication menu.