Policy Violation: Strong Authentication (SSHD password authentication)

sidemenu

Restricted Access

You are directed here because your node was detected to have offered password authentication for the SSH server service. This is in violation of the FNAL Strong Authentication policy. All nodes offering this SSH service must utilize Kerberos authentication. While your SSH configuration may be configured to use Kerberos, it is also configured to fall back to a less secure Password authentication method. This permits attackers to attempt to brute-force users and passwords to gain unauthorized access to your system.

To remediate this event, you can:

Turn off the SSH service (remove the RC file from your startup location or run a 'chkconfig sshd off' on Linux systems)
Disable the Password authentication by changing the 'PasswordAuthentication yes' value to 'PasswordAuthentication no' in the /etc/ssh/sshd_config file (or /etc/sshd_config on the Macintosh)
If you cannot turn off this service and cannot install a Kerberos aware version of SSHD, you may request an exemption from the FNAL Computer Security Team

In addition, if you are using SSHv1, you should upgrade to SSHv2. Also, if you do not require general inbound SSH access, you should implement host based controls (such as IPTABLES) to prevent unwanted access attempts. If you are unsure as how to reconfigure your SSHD service or how to apply host based controls, please contact the Fermilab Help Desk or your local system administrator.

After applying one of the methods above, please visit the URL in the email notice you received to close the event.

For assistance contact helpdesk@fnal.gov.
Information compiled and maintained by Computer Security Team ; last modified by FJN on July 5, 2007.
(Address comments about page to the Computer Security Team.)