Bug#452035: openssh-server: sshd_config should have AllowUsers by default

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#452035: openssh-server: sshd_config should have AllowUsers by default
From: Karl Schmidt <karl@xtronics.com>
Date: Mon, 19 Nov 2007 17:52:48 -0600
Message-id: <[🔎] 20071119235248.12199.89778.reportbug@singapore.xtronics.network>
Reply-to: Karl Schmidt <karl@xtronics.com>, 452035@bugs.debian.org

Package: openssh-server
Version: 1:4.3p2-9
Severity: important



-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-amd64
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Password strength is important on public facing servers with sshd. It may not
be apparent that users, other than the intended ssh user, can make the system vulnerable
with their weak passwords. Bot attacks are using whois information and email addresses to
guess probably user names to do brute force attacks. Enabling all users by
default is a very bad idea.

The trade-off is the extra hassel to comment out an AllowUsers line for installations that want
all users to be able to use ssh.  

At the very least there should be a commented out AllowUsers line in sshd_config - but that 
is really not good enough. 

I strongly urge that all user logins facing the network should be disabled-by-default. 
I couldn't find such disabled-by-default philosophy listed  in Debian policy, but it should be.

Reply to:

Prev by Date: Bug#447581: openssh-server: sshd ignores /etc/nologin when logging in with keys on Etch
Next by Date: Processed: severity of 452035 is wishlist
Previous by thread: Bug#447581: openssh-server: sshd ignores /etc/nologin when logging in with keys on Etch
Next by thread: Processed: severity of 452035 is wishlist
Index(es):
- Date
- Thread