Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I read the thread pinned at the top of this forum and configured my sshd to only allow connections with a key. I also set sshd for only Protocol 2.
If I try to connect with root, I get the following message: Permission denied (publickey,keyboard-interactive).
I am not trying to enable root to connect, but I don't want that message to print for any users that have no key in their ~/.ssh/authorized_keys file.
Is that possible? I hope I just missed a setting. Because, as I was reading the thread, I was lead to believe that disabling the password authentication would provide no response if a connection was attempted and failed.
Because, as I was reading the thread, I was lead to believe that disabling the password authentication would provide no response if a connection was attempted and failed.
And thereby provide no affirmative feedback to would be hackers. This was stated in the thread.
I don't see that message conveying any useful information. Additionally, I'm not sure what part of the sticky you got that information from, but I don't see the same information. Thirdly, the permission denied message originates from the client, not the server. What kind of behavior do you desire if they do not have a valid key?
I just gave you the answer. The *SERVER* does not generate that message, the client does. I asked what behavior you wanted from the client when users without ssh keys on the server connected to try to help you find a workable solution. I also asked you where you got your initial information that it should be "silent". I've read the thread at the top of this forum, and there's no mention of a silent connection there. If you cannot communicate your problem, do not expect magical answers.
This isn't an argument. You're wrong. The server sends a "denied" response.
If the sshd wasn't responding with the denied response, the client continues to try and eventually times out. I've tested it.
I've stated twice that I don't want the server to respond to a client connection without an authorized key.
I've also said that the above stickied thread implies that password authentication was turned off to remove server response with a password prompt. I am asking if this is possible for sshd also.
It's not a difficult question for somebody that has some experience. It's just difficult to find that person without all the distractions.
The server MUST do some sort of response: you can't make it pretend like it's not there. First off, you get the standard syn/ack sequence from the tcp connection. Then the server is the first thing to send data (its version string). If you are playing security through obscurity, it won't work.
My initial impression was that you did not want a displayed message of permission denied. The displayed message is generated by the client, as I proved above.
You may find this article interesting reading about the event sequence that sets up an SSH connection.
I'm not trying to get into an argument with you, I assure you. I am curious how you "tested" the sshd not replying with the denied response. If what you want is for it not to reply, then why don't you just do it the way you tested it?
I also believe I have plenty of experience using Linux and SSH (about 6 years worth). I am sorry if I have misunderstood your questions, but I am attempting to help you.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.