Bug#522745: [security] debian/openssh-server.postinst improved sshd_config
Package: openssh-server
Version: 1:5.1p1-5
Severity: normal
Tags: security
The following patch improves security in default /etc/ssh/sshd_config file:
- PermitRootLogin cha¨nge: from 'yes' to 'no'
- Add 'Match Address 192.168.1.0/26' exmaple to limit root logins insode LAN
(in comments; for sysadm to enable it)
Cosmetic:
- Add paragraph breaks between option groups
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages openssh-server depends on:
ii adduser 3.110 add and remove users and groups
ii debconf [debconf-2.0] 1.5.25 Debian configuration management sy
ii dpkg 1.14.25 Debian package management system
ii libc6 2.9-4 GNU C Library: Shared libraries
ii libcomerr2 1.41.3-1 common error description library
ii libkrb53 1.6.dfsg.4~beta1-6 MIT Kerberos runtime libraries
ii libpam-modules 1.0.1-5 Pluggable Authentication Modules f
ii libpam-runtime 1.0.1-5 Runtime support for the PAM librar
ii libpam0g 1.0.1-5 Pluggable Authentication Modules l
ii libselinux1 2.0.65-5 SELinux shared libraries
ii libssl0.9.8 0.9.8g-15 SSL shared libraries
ii libwrap0 7.6.q-16 Wietse Venema's TCP wrappers libra
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
ii openssh-blacklist 0.4.1 list of default blacklisted OpenSS
ii openssh-client 1:5.1p1-5 secure shell client, an rlogin/rsh
ii procps 1:3.2.7-11 /proc file system utilities
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
Versions of packages openssh-server recommends:
ii openssh-blacklist-extra 0.4.1 list of non-default blacklisted Op
ii xauth 1:1.0.3-2 X authentication utility
Versions of packages openssh-server suggests:
pn molly-guard <none> (no description available)
pn rssh <none> (no description available)
pn ssh-askpass <none> (no description available)
-- debconf information excluded
>From d768f16e6a93ce9af395e58a8976aee0a3f2af3d Mon Sep 17 00:00:00 2001
From: Jari Aalto <jari.aalto@cante.net>
Date: Mon, 6 Apr 2009 11:31:19 +0300
Subject: [PATCH] - Add 'Match Address example' for local LAN
- Change PermitRootLogin to 'no'.
---
openssh-server.postinst | 14 +++++++++++++-
1 files changed, 13 insertions(+), 1 deletions(-)
mode change 100644 => 100755 openssh-server.postinst
diff --git a/openssh-server.postinst b/openssh-server.postinst
old mode 100644
new mode 100755
index b7ea210..0d97ea5
--- a/openssh-server.postinst
+++ b/openssh-server.postinst
@@ -303,13 +303,17 @@ create_sshdconfig() {
# What ports, IPs and protocols we listen for
Port 22
+
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
+
Protocol 2
+
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
+
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
@@ -323,7 +327,7 @@ LogLevel INFO
# Authentication:
LoginGraceTime 120
-PermitRootLogin yes
+PermitRootLogin no
StrictModes yes
RSAAuthentication yes
@@ -332,10 +336,13 @@ PubkeyAuthentication yes
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
+
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
+
# similar for protocol version 2
HostbasedAuthentication no
+
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
@@ -375,6 +382,11 @@ AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
+
+# To permit root logins only in local LAN
+# Match Address 192.168.1.0/26
+# PermitRootLogin yes
+
EOF
}
--
1.6.1.3
Reply to: