Monterey - Disable Password Authentication for SSH

Information

If remote login through SSH is enabled, password based authentication _MUST_ be disabled for user login.

All users _MUST_ go through multifactor authentication to prevent unauthenticated access and potential compromise to the system.

NOTE: /etc/ssh/sshd_config will be automatically modified to its original state following any update or major upgrade to the operating system.

Solution

[source,bash]
----
/usr/bin/sed -i.bak_$(date "+%Y-%m-%d_%H:%M") "s|#PasswordAuthentication yes|PasswordAuthentication no|; s|#ChallengeResponseAuthentication yes|ChallengeResponseAuthentication no|" /etc/ssh/sshd_config; /bin/launchctl kickstart -k system/com.openssh.sshd
----

See Also

https://github.com/usnistgov/macos_security

Item Details

Category: IDENTIFICATION AND AUTHENTICATION, MAINTENANCE

References: 800-53|IA-2, 800-53|IA-2(1), 800-53|IA-2(2), 800-53|IA-2(6), 800-53|IA-2(8), 800-53|IA-5(2), 800-53|MA-4, CCE|CCE-90884-8

Plugin: Unix

Control ID: af2959b14fcfe15cb0340c1964a6511ff91364bd575e0eac8fcc04fe5201e623