SSH passwords should not have been enabled for login over the Internet. Although the Infrastructure Team had attempted to configure the sshd daemon to disable password-based logins, having
UsePAM yes
set meant that password-based logins were still possible.
From: https://blogs.apache.org/infra/entry/apache_org_04_09_2010
I take this to mean that they set this in /etc/ssh/sshd_config
:
PasswordAuthentication no
UsePAM yes
(the default)
I found a relevant question where the answer cites the following from the sshd config file:
# Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes
- So an attacker can bypass
PasswordAuthentication no
andPermitRootLogin without-password
usingChallengeResponseAuthentication
ifUsePAM
is enabled? - Is that what probably happened here, or am I misunderstanding what the Apache blog describes?
- What is the point of disabling
PasswordAuthentication
or settingPermitRootLogin
towithout-password
then? I mean, in what scenario does it make sense to use these if it can be bypassed? - Can one test if
ChallengeResponseAuthentication
is set on a server without valid credentials? Can external attackers tell that a server is a juicy target if they don't have credentials to try with?