From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on gnuweeb.org X-Spam-Level: X-Spam-Status: No, score=-1.8 required=5.0 tests=ALL_TRUSTED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,NO_DNS_FOR_FROM, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from [192.168.88.87] (unknown [36.80.217.41]) by gnuweeb.org (Postfix) with ESMTPSA id E030C7E375; Fri, 15 Apr 2022 17:36:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gnuweeb.org; s=default; t=1650044218; bh=YwqLPLedzuPAF04+820L4FMC+1vUIhyOyEQK/2c3ET4=; h=Date:Subject:To:Cc:References:From:In-Reply-To:From; b=VKrbKC0XQI4JHYhtRbnW/OMozyk7PZ+aLsEij+FkGoEob20oDsiOebQ5nSJOpp0cF J8WhRj79I1OBY2qmkgRH63lCXqL8QwGyRGqM/YW09Slgnj/aQwJJa4X0+ciZArsdPh HH9S17ttBIg/b9U4U4kj2wI+j08Ht3gP72Mt7GXpv3Pw9fhu995zxnlk/PyBxgMtNl GXea+qc9nryWgAeJVLhyKuf6tu3ALvbkYySpKomqwwlsSlatuQkCfVnoDwDanlgwkQ 5hB5hhqF0gGlUBZlzVtrVSocnLNrk3u04ajd28x0hWJRjhSD8dkdtl8OXT6XBz/Wuz sBRSbIuGUp6ew== Message-ID: Date: Sat, 16 Apr 2022 00:36:40 +0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Subject: Re: [PATCH server-a001 v1 1/1] Apply default SSH config and add public keys Content-Language: en-US To: Alviro Iskandar Setiawan Cc: GNU/Weeb Mailing List , Hazmi Alfarizqi , Alviro Iskandar Setiawan References: <20220415171554.35696-1-ammarfaizi2@gnuweeb.org> <20220415171554.35696-2-ammarfaizi2@gnuweeb.org> From: Ammar Faizi In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit List-Id: On 4/16/22 12:29 AM, Alviro Iskandar Setiawan wrote: > On Sat, Apr 16, 2022 at 12:16 AM Ammar Faizi wrote: >> >> 1) Set the default port to 48589, don't use port 22 since we will >> inevitably get brute-force SSH attack from random botnets. Even if >> it's not really a concern if we're using a private key for the auth, >> let's not spam our auth log with many login failed lines. > > The sshd_config in this patch doesn't disable the password auth, tho > > This: > >> +PermitRootLogin prohibit-password > > only disables password auth for root, you're still asked to enter the > password, but it will never work for root even if the root password is > correct. However, if the login user is not root, the password auth is > still valid. > >> +# To disable tunneled clear text passwords, change to no here! >> +#PasswordAuthentication yes > > This should be set to "no" to really disable password auth. Ack, yes, my bad. Will fix it in the v2. -- Ammar Faizi