Writing

Feed Software, technology, sysadmin war stories, and more.

Wednesday, October 27, 2021

Disabling ssh password auth on Monterey is different

If you're riding the bleeding edge of Mac software updates, you might have just installed Monterey, or you will soon. If you're also running sshd so you can log in remotely, you should be aware that the typical "revert your config" shenanigans have happened, so you are once again accepting password authentication, and thus are subject to a brute-force attack.

My post from March talks about editing the sshd_config to make it go away, and, well, that doesn't apply any more. They've changed the way the config works to add a ".d" directory scheme which sets some defaults. There is now /etc/ssh/sshd_config.d, and in it, 100-macos.conf.

Editing that file would likely get reverted upon the next patch (12.0.2?), so that's right out. You can't go past it with a higher number, since as the sshd_config points out, the *first* instance of a setting is kept, and subsequent instances of the same setting are ignored.

Instead, you have to get in front of them, and use a LOWER number. Try something like "000-yourname.conf" and then just drop this in:

UsePAM no
PasswordAuthentication no

If we're lucky, they won't wipe that entire directory on updates, and so maybe this will stick around for longer than usual.

Finally, after you make this change, make sure it actually worked by forcing a password/interactive-only login attempt to the machine. Make sure it fails and doesn't ask you for a password. If you don't know how to do this, the previous post contains info on that, including a terrible scanner script that belongs in the bottom of a cat box.

Enjoy.