I’ve asked some web hosting providers (Bluehost and Dreamhost) and they both said that on shared hosting accounts they have no way to disable login via SSH with a password. What this means is that even if we set up SSH keys, logging in without them and via the hosting’s password will always be enabled, pretty much negating most of the advantage for the keys.
From what I can find online, editing /etc/ssh/sshd_config
is the way to go do disable login via a password, but since it’s shared hosting, that’s not a possibility.
All that said, they never claimed it can’t be done (though I haven’t found a way), just that they don’t support it. Is there a way to do it on a per-user basis, so that I can set it up myself? And if not, why not, what is the (technical/design) limitation in the way SSH works that prevents it?
Answer
[Is there a way to] disable SSH login via password on a per-user basis?
No. Generally.
what is the (technical/design) limitation in the way SSH works that prevents it?
There is noting in the SSH protocol design or specification that prevents this.
It is an implementation-specific restriction in the SSH daemon (or service)
The usual sshd
program on Linux (etc) platforms was written to read a single configuration file that applies to all users of that instance of the program.
I believe it would be possible to write an SSH daemon that looks for a supplementary configuration file in a user's home directory (for example). However this has not been done (insufficient demand probably)
Is there anything approximately equivalent?
What you can do is set the user's login password to some extremely long and completely random string.
It might be possible to use the shell to set a password that contains characters that cannot be entered using SSH clients of the sort believed to be used by attackers. Or at least to set a password that is much longer than any they are likely to attempt using the usual dictionary-based approaches.
No comments:
Post a Comment