From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <ammarfaizi2@gnuweeb.org>
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on gnuweeb.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.8 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,NO_DNS_FOR_FROM,
	URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6
Received: from [192.168.88.87] (unknown [36.80.217.41])
	by gnuweeb.org (Postfix) with ESMTPSA id E030C7E375;
	Fri, 15 Apr 2022 17:36:55 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gnuweeb.org;
	s=default; t=1650044218;
	bh=YwqLPLedzuPAF04+820L4FMC+1vUIhyOyEQK/2c3ET4=;
	h=Date:Subject:To:Cc:References:From:In-Reply-To:From;
	b=VKrbKC0XQI4JHYhtRbnW/OMozyk7PZ+aLsEij+FkGoEob20oDsiOebQ5nSJOpp0cF
	 J8WhRj79I1OBY2qmkgRH63lCXqL8QwGyRGqM/YW09Slgnj/aQwJJa4X0+ciZArsdPh
	 HH9S17ttBIg/b9U4U4kj2wI+j08Ht3gP72Mt7GXpv3Pw9fhu995zxnlk/PyBxgMtNl
	 GXea+qc9nryWgAeJVLhyKuf6tu3ALvbkYySpKomqwwlsSlatuQkCfVnoDwDanlgwkQ
	 5hB5hhqF0gGlUBZlzVtrVSocnLNrk3u04ajd28x0hWJRjhSD8dkdtl8OXT6XBz/Wuz
	 sBRSbIuGUp6ew==
Message-ID: <d997155b-7788-d52c-fee4-a38d791a5839@gnuweeb.org>
Date: Sat, 16 Apr 2022 00:36:40 +0700
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.7.0
Subject: Re: [PATCH server-a001 v1 1/1] Apply default SSH config and add
 public keys
Content-Language: en-US
To: Alviro Iskandar Setiawan <alviro.iskandar@gmail.com>
Cc: GNU/Weeb Mailing List <gwml@vger.gnuweeb.org>,
 Hazmi Alfarizqi <contact@hzmi.xyz>,
 Alviro Iskandar Setiawan <alviro.iskandar@gnuweeb.org>
References: <20220415171554.35696-1-ammarfaizi2@gnuweeb.org>
 <20220415171554.35696-2-ammarfaizi2@gnuweeb.org>
 <CAOG64qM=ZAVUmEzkXMckuZiqjCGNDGQT3f0aQXz_TF-Q3UrgtQ@mail.gmail.com>
From: Ammar Faizi <ammarfaizi2@gnuweeb.org>
In-Reply-To: <CAOG64qM=ZAVUmEzkXMckuZiqjCGNDGQT3f0aQXz_TF-Q3UrgtQ@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
List-Id: <gwml.vger.gnuweeb.org>

On 4/16/22 12:29 AM, Alviro Iskandar Setiawan wrote:
> On Sat, Apr 16, 2022 at 12:16 AM Ammar Faizi <ammarfaizi2@gnuweeb.org> wrote:
>>
>> 1) Set the default port to 48589, don't use port 22 since we will
>>     inevitably get brute-force SSH attack from random botnets. Even if
>>     it's not really a concern if we're using a private key for the auth,
>>     let's not spam our auth log with many login failed lines.
> 
> The sshd_config in this patch doesn't disable the password auth, tho
> 
> This:
> 
>> +PermitRootLogin prohibit-password
> 
> only disables password auth for root, you're still asked to enter the
> password, but it will never work for root even if the root password is
> correct. However, if the login user is not root, the password auth is
> still valid.
> 
>> +# To disable tunneled clear text passwords, change to no here!
>> +#PasswordAuthentication yes
> 
> This should be set to "no" to really disable password auth.

Ack, yes, my bad. Will fix it in the v2.

-- 
Ammar Faizi