SSH Password Authentication Enabled Instead of Key-Based

Quick Summary

SSH Password Authentication Enabled Instead of Key-Based is a security misconfiguration where the SSH service allows password-based authentication rather than enforcing public key authentication. Password-based SSH access significantly increases exposure to brute-force attacks, credential stuffing, and unauthorized remote access.

Vulnerability Classification

FieldValue
Vulnerability TypeSSH Authentication Misconfiguration
CWE IDCWE-287 – Improper Authentication
CVE IDN/A (Configuration Issue)
CVSS 4.0 Base Score7.8 (High)
CVSS VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L
OWASP CategoryA05:2021 – Security Misconfiguration
Attack SurfaceInternal / External Network

Affected Asset / Environment

  • Service: SSH
  • Default Port: 22
  • Platforms: Linux, Unix, Network Appliances
  • Testing Method: Black-box Network Assessment
  • Tools Used: Nmap, Hydra, SSH Client

Description

The assessor observed that the SSH service running on the target system permits password-based authentication. During testing, the SSH server accepted password login attempts instead of enforcing public key authentication.

Password-based authentication is vulnerable to brute-force and credential reuse attacks. If the SSH service is exposed to the internet, automated attack tools may attempt repeated login attempts to compromise user accounts.

Secure environments should enforce key-based authentication, which relies on asymmetric cryptography and significantly reduces the risk of credential-based attacks.

Root Cause

The issue occurs due to SSH daemon configuration allowing password authentication.

Common root causes include:

  • PasswordAuthentication yes enabled in sshd_config
  • Default SSH configuration not hardened
  • Lack of SSH security baseline enforcement
  • Failure to disable password-based login
  • Absence of multi-factor authentication

Business Impact

Exploitation of this vulnerability may allow attackers to perform brute-force attacks against user accounts. If credentials are weak or reused, unauthorized access to production servers may occur.

Compromised SSH access may lead to data theft, service disruption, lateral movement within the network, and potential ransomware deployment.

Externally exposed SSH services are commonly targeted by automated scanning tools.

Technical Impact

An attacker can:

  • Perform brute-force password attacks
  • Conduct credential stuffing attacks
  • Attempt password spraying
  • Gain shell access if credentials are compromised
  • Escalate privileges depending on system configuration

This significantly increases the likelihood of unauthorized remote access.

Proof of Concept (PoC)

Step1: Identify SSH Service

nmap -sV -p 22 <target-ip>

If port 22 is open and service is identified as SSH, proceed with authentication testing.

Step2: Confirm Password Authentication Is Enabled

Attempt manual login:

ssh user@<target-ip>

If server prompts for password and accepts password-based authentication, the configuration allows password login.

Step3: Enumerate SSH Authentication Methods

nmap -p 22 --script ssh-auth-methods <target-ip>

If output lists password under supported authentication methods, the service allows password authentication.

Step4: Test Brute-force Exposure (Authorized Testing Only)

hydra -l user -P passwords.txt ssh://<target-ip>

If login attempts are processed, the system is susceptible to password-based attacks.

Exploitation Prerequisites

  • Network access to port 22
  • SSH service enabled
  • Password authentication allowed
  • Weak or exposed credentials

Remediation

It is recommended that password-based SSH authentication be disabled and replaced with key-based authentication.

Recommended actions:

  • Set PasswordAuthentication no in sshd_config
  • Enable public key authentication only
  • Implement multi-factor authentication
  • Restrict SSH access to trusted IP addresses
  • Change default SSH port if appropriate
  • Implement fail2ban or similar intrusion prevention tools
  • Enforce strong password policy if password login must remain enabled

After configuration changes, restart the SSH service and validate enforcement.

Detection and Monitoring

  • Monitor SSH logs for repeated failed login attempts
  • Alert on excessive authentication failures
  • Implement intrusion detection for brute-force behavior
  • Regularly audit SSH configuration settings

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *