$ Linux One Liners
Back to lessons

Cybersecurity Triage

Find SSH Password Auth Exceptions

You need to see whether sshd_config has password authentication exceptions under Match rules.

Command

awk '/^Match /{ctx=$0} /^PasswordAuthentication|^AuthenticationMethods|^[[:space:]]+PasswordAuthentication|^[[:space:]]+AuthenticationMethods/ {print (ctx ? ctx : "global") ": " $0}' etc/ssh/sshd_config

What changed

Nothing changes. The command reads sshd_config and prints authentication directives with their current Match context.

Danger

safe

When to use it

Use when a host appears key-only but some users or source ranges can still use password authentication.

When not to use it

Do not reload SSH based only on this excerpt; validate the full effective sshd configuration on a real host.

Undo or recovery

No undo needed because this command is read-only.

Expected output

Authentication directives labeled as global or attached to the active Match block.

demo script

Disposable terminal steps

  1. sed -n '1,12p' etc/ssh/sshd_config
  2. awk '/^Match /{ctx=$0} /^PasswordAuthentication|^AuthenticationMethods|^[[:space:]]+PasswordAuthentication|^[[:space:]]+AuthenticationMethods/ {print (ctx ? ctx : "global") ": " $0}' etc/ssh/sshd_config
Terminal transcript Demo JSON

simulated output

What it looks like

disposable vessel 
::fixture-ready::
$ sed -n '1,12p' etc/ssh/sshd_config
Port 22
PubkeyAuthentication yes
PasswordAuthentication no
KbdInteractiveAuthentication no
AuthenticationMethods publickey
AllowUsers alice deploy
Include etc/ssh/sshd_config.d/*.conf
Match Address 198.51.100.0/24
    PasswordAuthentication yes
    AuthenticationMethods publickey,password
::exit-code::0
$ awk '/^Match /{ctx=$0} /^PasswordAuthentication|^AuthenticationMethods|^[[:space:]]+PasswordAuthentication|^[[:space:]]+AuthenticationMethods/ {print (ctx ? ctx : "global") ": " $0}' etc/ssh/sshd_config
global: PasswordAuthentication no
global: AuthenticationMethods publickey
Match Address 198.51.100.0/24:     PasswordAuthentication yes
Match Address 198.51.100.0/24:     AuthenticationMethods publickey,password
::exit-code::0

YouTube Short

Find SSH password exceptions.

PasswordAuthentication no is not the whole story if a Match block later changes the rule for a source range.

LinkedIn hook

A global password-auth setting can be changed later by a Match block.

Question: Do you check SSH Match blocks before assuming password auth is disabled everywhere?

experiments

A/B tests to run

Metric: watch_time

A: Password auth exception.

B: Match blocks change SSH policy.