Comment by kazinator

The analysis in this article is incomplete, due to missing some information which are relevant to its conclusions. It is an established pattern with his blog. Curious how it keeps showing up on the front page of HN.

> As everyone with an Internet-exposed SSH daemon knows, attackers are constantly attempting password guesses against various accounts. But if you're using a strong password, the odds of an attacker guessing it are extremely low.

The odds are zero if they are trying the wrong account names!

SSH password guessers are not probing the space of possible user names, only passwords. Look at your logs, man.

For instance, they assume that the superuser account is named root. If you don't call it root, your password could be "password" or even blank and they will never get in.

What OpenSSH needs is a your server configuration where you specify a list of allowed user names.

> [not accepting password authentication] stops an attacker that can steal and then crack your encrypted passwords

What? If the attacker steals your shadow file, they must already somehow have root. At that point, they don't have to care what you think about SSH authentication. They can leave ways for themselves to have repeated access.

> In practice, (OpenSSH) password authentication is a complex piece of code that interacts with things like your system's random set of PAM modules.

Does any of that code execute for user IDs not listed in the AllowUsers variable in sshd_config?

If I have this:

  AllowUsers = 3CDF4497

will sshd execute all the PAM code and whatnot for a login attempt for user root?

This mechanism also solves the problem of some new software installation adding an administrative account with a known password. And maybe don't go installing random crap on the machine that serves you SSH access.

Okay sure, there can be this vanishingly improbable flow of events. Somehow a malicious actor knows the above root username. They're a fired IT employee, and the organization forgot to change that name, only the password. The employee uses their knowledge of the secret these are ID to attack a vulnerability in in the password auth stack.