[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#522745: [security] debian/openssh-server.postinst improved sshd_config

Package: openssh-server
Version: 1:5.1p1-5
Severity: normal
Tags: security

The following patch improves security in default /etc/ssh/sshd_config file:

- PermitRootLogin cha¨nge: from 'yes' to 'no'
- Add 'Match Address' exmaple to limit root logins insode LAN
  (in comments; for sysadm to enable it)


- Add paragraph breaks between option groups

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssh-server depends on:
ii  adduser               3.110              add and remove users and groups
ii  debconf [debconf-2.0] 1.5.25             Debian configuration management sy
ii  dpkg                  1.14.25            Debian package management system
ii  libc6                 2.9-4              GNU C Library: Shared libraries
ii  libcomerr2            1.41.3-1           common error description library
ii  libkrb53              1.6.dfsg.4~beta1-6 MIT Kerberos runtime libraries
ii  libpam-modules        1.0.1-5            Pluggable Authentication Modules f
ii  libpam-runtime        1.0.1-5            Runtime support for the PAM librar
ii  libpam0g              1.0.1-5            Pluggable Authentication Modules l
ii  libselinux1           2.0.65-5           SELinux shared libraries
ii  libssl0.9.8           0.9.8g-15          SSL shared libraries
ii  libwrap0              7.6.q-16           Wietse Venema's TCP wrappers libra
ii  lsb-base              3.2-20             Linux Standard Base 3.2 init scrip
ii  openssh-blacklist     0.4.1              list of default blacklisted OpenSS
ii  openssh-client        1:5.1p1-5          secure shell client, an rlogin/rsh
ii  procps                1:3.2.7-11         /proc file system utilities
ii  zlib1g                1:  compression library - runtime

Versions of packages openssh-server recommends:
ii  openssh-blacklist-extra       0.4.1      list of non-default blacklisted Op
ii  xauth                         1:1.0.3-2  X authentication utility

Versions of packages openssh-server suggests:
pn  molly-guard                   <none>     (no description available)
pn  rssh                          <none>     (no description available)
pn  ssh-askpass                   <none>     (no description available)

-- debconf information excluded
>From d768f16e6a93ce9af395e58a8976aee0a3f2af3d Mon Sep 17 00:00:00 2001
From: Jari Aalto <jari.aalto@cante.net>
Date: Mon, 6 Apr 2009 11:31:19 +0300
Subject: [PATCH] - Add 'Match Address example' for local LAN
 - Change PermitRootLogin to 'no'.

 openssh-server.postinst |   14 +++++++++++++-
 1 files changed, 13 insertions(+), 1 deletions(-)
 mode change 100644 => 100755 openssh-server.postinst

diff --git a/openssh-server.postinst b/openssh-server.postinst
old mode 100644
new mode 100755
index b7ea210..0d97ea5
--- a/openssh-server.postinst
+++ b/openssh-server.postinst
@@ -303,13 +303,17 @@ create_sshdconfig() {
 # What ports, IPs and protocols we listen for
 Port 22
 # Use these options to restrict which interfaces/protocols sshd will bind to
 #ListenAddress ::
 Protocol 2
 # HostKeys for protocol version 2
 HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_dsa_key
 #Privilege Separation is turned on for security
 UsePrivilegeSeparation yes
@@ -323,7 +327,7 @@ LogLevel INFO
 # Authentication:
 LoginGraceTime 120
-PermitRootLogin yes
+PermitRootLogin no
 StrictModes yes
 RSAAuthentication yes
@@ -332,10 +336,13 @@ PubkeyAuthentication yes
 # Don't read the user's ~/.rhosts and ~/.shosts files
 IgnoreRhosts yes
 # For this to work you will also need host keys in /etc/ssh_known_hosts
 RhostsRSAAuthentication no
 # similar for protocol version 2
 HostbasedAuthentication no
 # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
 #IgnoreUserKnownHosts yes
@@ -375,6 +382,11 @@ AcceptEnv LANG LC_*
 Subsystem sftp /usr/lib/openssh/sftp-server
 UsePAM yes
+# To permit root logins only in local LAN
+# Match Address
+#      PermitRootLogin yes

Reply to: