The hidden SSH backdoor, or why your password authentication might not be off after all.
So you have installed and hardened your server. You protected SSH with ssh keys , and in your /etc/ssh/sshd_config, you set PasswordAuthentication to no. All security checks are green. Beware:
More often than not, access is still possible with a password, and without your knowing.
The reason lurks in an innocuous “sshd_config.d” subdirectory of /etc/ssh.
In that you might find another conf file, named “50-cloud-init.conf,” or somesuch. Any file name will do. If you found “PasswordAuthentication yes” in that file, then you caught the criminal.
With an entry in /etc/ssh/sshd_config.d /*.conf any corresponding setting in /etc/ssh/sshd_config will happily and quietly be overridden.
REMOVE, don’t edit these entries. Restart the ssh server. As long as there is a “PasswordAuthentication yes” in your /etc/ssh/sshd_config, nobody can get in without the proper ssh key.
Providers plant these SSH backdoors into the systems they deliver to customers. The ultra-moronic hen send the password via email, and all bets are off.
[link] [comments]