Policy Violation: Strong Authentication (SSHD password  or public key authentication)

You are directed here because your node was detected to have offered password authentication or public key authentication for the SSH server service. This is in violation of the FNAL Authentication policy. All nodes offering this SSH service must utilize Kerberos authentication. While your SSH configuration may be configured to use Kerberos, it is also configured to fall back to a less secure Password or other unapproved authentication method. This permits attackers to attempt to brute-force users and passwords to gain unauthorized access to your system or otherwise access your system using non-centrally managed user accounts..

To remediate this event, you can:

  • Turn off the SSH service (remove the RC file from your startup location or run a 'chkconfig sshd off' on Linux systems)
  • Disable the Password authentication by changing the 'PasswordAuthentication yes' value to 'PasswordAuthentication no' in the /etc/ssh/sshd_config file (or /etc/sshd_config on the Macintosh) or adding a 'PasswordAuthentication no' line to the configuration since the default setting is 'yes'.
  • Disable the Public Key authentication method by adding a 'PubkeyAuthentication noto the configuration file (this default is also 'yes' and so must be explicitly disabled).
  • If you cannot turn off this service and cannot install a Kerberos aware version of SSHD, you may request an exemption from the FNAL Computer Security Team

In addition, if you are using SSHv1, you should upgrade to SSHv2. Also, if you do not require general inbound SSH access, you should implement host based controls (such as IPTABLES) to prevent unwanted access attempts. If you are unsure as how to reconfigure your SSHD service or how to apply host based controls, please contact the Fermilab Service Desk or your local system administrator.

After applying one of the methods above, please visit the URL in the email notice you received to close the event.

 

For assistance contact helpdesk@fnal.gov.
Information compiled and maintained by Computer Security Team (Address comments about page to the Computer Security Team.)