Quoting Trent W. Buck (trentbuck@gmail.com):
Otherwise, there is an (admittedly small) window between installing sshd, and locking down sshd_config, in which people can attack sshd in its default configuration.
(For values of 'attack' approximating twisting a house's front doorknob.) Anyone who's run a public sshd and noted automated attempts to login using 'joe' account/password combinations will have noticed that the rate of traffic involved is really slow. It would be interesting to run the numbers on that; I'll readily confess I haven't, but breaking into systems that way strikes me as pretty improbable under most circumstances, and basically not worth worrying about unless you have users who use _literally_ trivially guessable credentials. (I've run Linux servers fully exposed to the Internet since 1993, FWIW.) Anyway, to enforce password strength on all non-root users: 1. Install libpam_cracklib . (In Debian, that's the literal package name.) 2. Add this to /etc/pam.d/common-password password required pam_cracklib.so retry=2 minlen=10 difok=3 'difok' should be visually parsed as 'diff OK', and specifies the number of characters permitted to be the same between password N and password N+1.