0

Numerous sources provide instructions for key-based authentication to an SSH server, rather than password based.

In some isolated environments, it is preferable for a server to authorize a user without requiring any credentials, only a recognized user name.

Is such a case supported by OpenSSH running under Linux? How may a server be configured to authorize a user without requiring credentials?

Improve this question
0

1 Answer 1

Reset to default
3

By definition, authentication is the act of proving the identity of a user. For example, 'root' is a known user name on every Linux system. If a server grants access to any user presenting themselves as 'root', there is no authentication taking place; merely identification. And the identity itself is typically not a secret. For example, the /etc/passwd file that lists all local usernames is readable for all users.

Conventionally, authentication takes place after the identification step and involves the use of one or more authentication factors - something the user knows (like a password), something the user has (like an SSH key) or the something the user is/does (like a fingerprint). You can refer to the Wikipedia page for a lot more info: https://en.wikipedia.org/wiki/Authentication

With SSH, the closest approximation you can make is to use an account with an empty or blank password. Then you could use AuthenticationMethods none and PermitEmptyPasswords yes (in sshd_config), and you should be able to log in with the username and a blank password. Globally setting these options would be unwise; it is better to use a Match block and apply these settings to a specific user or user group. Since the user name is the only line of defense, it would also make sense to use a new, non-standard username. See the manpage for more details on the options: sshd_config(5)

Again, this approach is unsafe from a security perspective as you're cutting out authentication entirely. And depending upon the privileges allowed to the password-less user account, you will open yourself up to further vulnerabilities. Review your requirements carefully and decide if you would like to proceed.

Improve this answer
6
  • After setting AuthenticationMethods none, would the server authenticate based solely on user identifier? Commented Dec 23, 2021 at 23:27
  • @epl No, the manpage mentions that it is used to allow empty passwords: ' "none" (used for access to password-less accounts when PermitEmptyPasswords is enabled) ' Commented Dec 24, 2021 at 3:38
  • Is there any configuration that would cause the server to authenticate a user (or group of users, or all users) unconditionally, even if if the user's system account has a password? Commented Dec 24, 2021 at 5:05
  • Not as far as I can tell. The associated RFC defines the 'none' authentication method as a special case, explicitly stating that it 'MUST NOT be listed as supported by the server.' You can review the SSH specs here: openssh.com/specs.html (1/2) Commented Dec 24, 2021 at 8:04
  • From a historical sense, SSH evolved as a modern-day secure equivalent of tools such as rlogin and telnet. These tools did permit logins without authentication, and had other shortcomings. AFAIK, they still 'work', in the sense that you can connect to a remote system and get a shell. Perhaps you should take a look at some of these tools? (2/2) Commented Dec 24, 2021 at 8:06

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.