42.5. Authentication Configuration
All SSH implementations have options related to how clients authenticate and the messages displayed to them after login. Specifically, you can permit or deny authentication by username and password or username and certificate, stop the root user from logging in, and control whether or not rlogin-style .rhosts files are trusted. The exact options differ quite a lot between SSH versions, however, so what is possible with OpenSSH may not be if you are running the commercial SSH server.
To edit authentication settings, follow these steps:
1. | Click on the Authentication icon on the module's main page to bring up a form like the one shown in Figure 42.3. Figure 42.3. The authentication options form.
|
2. | Select Yes for the Notify user of new mail? field to have users informed of any new mail in their mail files when they log in. This only works if you are using the standard mail file location on your system, though, and not if delivery is done to Mailbox or Maildir in users' home directories. |
3. | To prevent users logging in with a password, change the Allow authentication by password? field to No. This means that only certificate authenticates will be accepted, which is not too useful for users who have never logged in before and thus cannot create a private key. It is only useful if your system uses NFS-mounted home directories, or if some other mechanism exists for users to set their public keys. This field is not available if you are running SSH version 3 or above. |
4. | To allow or deny logins with an empty password (assuming this is actually correct for a user), change the Permit logins with empty passwords? field. You may want to block this until users have set their passwords by some other method. |
5. | Even though a root login via SSH is much more secure that one via telnet (which is unencrypted), you may still want to prevent it. To do this, select No from the Allow login by root? menu. You can also choose Only with RSA auth to force root logins to use a certificate for authentication, or Only for commands to only permit the execution of a single command instead of allowing a full interactive login. That final option is only available, however, if your system runs OpenSSH version 2 or above. |
6. | To stop users from using certificates to authenticate (and thus forcing the use of passwords instead), select No from the Allow RSA authentication? field. You might want to do this to force people to enter a password every time, instead of relying on a possibly unencrypted private key to do the authentication for them. |
7. | To stop the server from strictly checking permissions on users' files in their ~/ssh directory, select No in the Check permissions on key files? field. Even though turning off these checks is a bad idea from a security point of view, the checks can be annoying for users who have set the wrong permissions and cannot figure out why they cannot be authenticated with a certificate. |
8. | To have the server display the contents of the message-of-the-day file to users after logging in, select Yes for the Display /etc/motd at login? field. This file usually contains information about your system or notices to users. |
9. | If you want to have a message sent to clients before they log in, select the second option in the Pre-login message file field and enter the full path to a file containing the text you want sent into the adjacent text box. This text often contains a warning about unauthorized use of the system. This field is only available if you are running OpenSSH 2.3 or SSH version 2 or above. |
10. | The rest of the options on the page relate to rlogin-style authentication using rhosts and /etc/hosts.equiv files. Because they trust the client host to have already authenticated the connecting user, they are rather insecure with the ease with which a source IP address can be faked. For this reason, enabling this kind of authentication is not recommended. |
11. |
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.