Avoiding SSH key enumeration

Question

Avoiding SSH key enumeration

daenney opened this issue 9 years ago · 6 comments

So for those interested in how to avoid the enumeration of SSH keys. Set globally in your .ssh/config the PreferredAuthentications option to keyboard-interactive,password. That seems to prevent SSH from defaulting to sending your keys over.

Now you'll need a Host stanza for every host that you do want to connect to with a key that includes an IdentityFile setting or pass that in as an option when using SSH to connect to said machine.

Answer 1 · 2015-08-04T19:08:56.000Z

Just added some similar instructions to the README.

https://github.com/FiloSottile/whosthere#how-do-i-stop-it

Answer 2 · 2015-08-04T19:10:11.000Z

You can also set this in your /etc/ssh_config or ~/.ssh/config:

Host *
  IdentitiesOnly yes # only use the authentication identity files configured in the ssh_config files
  User root          # don't send my local username

Answer 3 · 2015-08-04T21:13:55.000Z

IdentitiesOnly only prevents identities stored in an agent to be sent. Other identities, notably ~/.ssh/id_* are still sent.

Answer 4 · 2015-08-04T21:53:10.000Z

Daaaamn @vincentbernat is right. Updating the README.

Answer 5 · 2015-08-04T22:03:50.000Z

Oh well I had my default IdentityFile set to /dev/null

Answer 6 · 2015-08-04T22:06:33.000Z

Oh well I had my default IdentityFile set to /dev/null

Ha, I like that one, thanks!