reinitialized.net/infrastructure
2
0
Fork 0
Code Issues 37 Pull requests Projects Releases Packages Wiki Activity Actions

[MEDIUM] Cortex (10.1.11.9) SSH PasswordAuthentication defaults to yes #39

New issue
Open
opened 2026-05-06 10:46:26 -05:00 by pjennings · 0 comments
pjennings commented 2026-05-06 10:46:26 -05:00
Owner
Copy link

Description

On cortex (10.1.11.9), the SSH daemon has PasswordAuthentication yes as the effective setting. PermitRootLogin is correctly set to without-password (pubkey only for root), but non-root users can still authenticate with passwords.

Finding Details

  • Host: cortex (10.1.11.9)
  • Port: 22/tcp
  • Service: OpenSSH 10.0
  • Effective config: passwordauthentication yes, permitrootlogin without-password, pubkeyauthentication yes, maxauthtries 6
  • Config file: /etc/ssh/sshd_config - PasswordAuthentication is commented out (line 65), so the compile-time default applies.
  • Discovered by: sshd -T config review, 2026-05-06

Risk

Password authentication is vulnerable to brute-force attacks. Other NixOS-managed hosts (apps1-3, db1) have OpenSSH 10.2 which defaults to PasswordAuthentication no. Cortex runs Fedora with an older default.

Recommendations

  1. Explicitly set PasswordAuthentication no in /etc/ssh/sshd_config
  2. Restart sshd
  3. Verify pubkey access works first
  4. Consider migrating to NixOS-managed config for consistency

References

  • Related: docs/network-scan-2026-05-06.md (Finding F-04)
  • Note: Distinct from #11 (passwordless sudo for wheel group)
## Description On cortex (10.1.11.9), the SSH daemon has PasswordAuthentication yes as the effective setting. PermitRootLogin is correctly set to without-password (pubkey only for root), but non-root users can still authenticate with passwords. ## Finding Details - **Host:** cortex (10.1.11.9) - **Port:** 22/tcp - **Service:** OpenSSH 10.0 - **Effective config:** passwordauthentication yes, permitrootlogin without-password, pubkeyauthentication yes, maxauthtries 6 - **Config file:** /etc/ssh/sshd_config - PasswordAuthentication is commented out (line 65), so the compile-time default applies. - **Discovered by:** sshd -T config review, 2026-05-06 ## Risk Password authentication is vulnerable to brute-force attacks. Other NixOS-managed hosts (apps1-3, db1) have OpenSSH 10.2 which defaults to PasswordAuthentication no. Cortex runs Fedora with an older default. ## Recommendations 1. Explicitly set PasswordAuthentication no in /etc/ssh/sshd_config 2. Restart sshd 3. Verify pubkey access works first 4. Consider migrating to NixOS-managed config for consistency ## References - Related: docs/network-scan-2026-05-06.md (Finding F-04) - Note: Distinct from #11 (passwordless sudo for wheel group)
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
indev
No results found.
Labels
Clear labels   
area:documentation

Documentation, inventory, runbooks

  
area:infrastructure

Infrastructure services and hardware

  
area:network

Network, firewall, and connectivity

  
area:security

Security vulnerabilities and findings

  
priority:critical

Fix immediately — active risk

  
priority:high

Fix within 1-2 weeks

  
priority:low

Backlog — hardening and best practices

  
priority:medium

Fix within 1 month

  
status:blocked

Blocked on dependency or decision

  
type:bug

Misconfiguration or broken behavior

  
type:deployment

New service or system deployment

  
type:enhancement

Improvement or hardening

  
type:investigation

Needs research or identification

No labels
area:documentation
area:infrastructure
area:network
area:security
priority:critical
priority:high
priority:low
priority:medium
status:blocked
type:bug
type:deployment
type:enhancement
type:investigation
Milestone
Clear milestone
No items
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
reinitialized.net/infrastructure#39
No description provided.