Bug#522745: marked as done ([security] debian/openssh-server.postinst improved sshd_config)

To: Colin Watson <cjwatson@debian.org>
Subject: Bug#522745: marked as done ([security] debian/openssh-server.postinst improved sshd_config)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sun, 02 Apr 2017 01:48:03 +0000
Message-id: <[🔎] handler.522745.D522745.14910975438726.ackdone@bugs.debian.org>
References: <20170402014539.GO9002@riva.ucam.org> <20090406083747.23333.81480.reportbug@jondo.cante.net>

Your message dated Sun, 2 Apr 2017 02:45:39 +0100
with message-id <20170402014539.GO9002@riva.ucam.org>
and subject line Re: Bug#522745: [security] debian/openssh-server.postinst improved sshd_config
has caused the Debian Bug report #522745,
regarding [security] debian/openssh-server.postinst improved sshd_config
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
522745: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=522745
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: [security] debian/openssh-server.postinst improved sshd_config
From: Jari Aalto <jari.aalto@cante.net>
Date: Mon, 06 Apr 2009 11:37:47 +0300
Message-id: <20090406083747.23333.81480.reportbug@jondo.cante.net>

Package: openssh-server
Version: 1:5.1p1-5
Severity: normal
Tags: security


The following patch improves security in default /etc/ssh/sshd_config file:

- PermitRootLogin cha¨nge: from 'yes' to 'no'
- Add 'Match Address 192.168.1.0/26' exmaple to limit root logins insode LAN
  (in comments; for sysadm to enable it)

Cosmetic:

- Add paragraph breaks between option groups

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages openssh-server depends on:
ii  adduser               3.110              add and remove users and groups
ii  debconf [debconf-2.0] 1.5.25             Debian configuration management sy
ii  dpkg                  1.14.25            Debian package management system
ii  libc6                 2.9-4              GNU C Library: Shared libraries
ii  libcomerr2            1.41.3-1           common error description library
ii  libkrb53              1.6.dfsg.4~beta1-6 MIT Kerberos runtime libraries
ii  libpam-modules        1.0.1-5            Pluggable Authentication Modules f
ii  libpam-runtime        1.0.1-5            Runtime support for the PAM librar
ii  libpam0g              1.0.1-5            Pluggable Authentication Modules l
ii  libselinux1           2.0.65-5           SELinux shared libraries
ii  libssl0.9.8           0.9.8g-15          SSL shared libraries
ii  libwrap0              7.6.q-16           Wietse Venema's TCP wrappers libra
ii  lsb-base              3.2-20             Linux Standard Base 3.2 init scrip
ii  openssh-blacklist     0.4.1              list of default blacklisted OpenSS
ii  openssh-client        1:5.1p1-5          secure shell client, an rlogin/rsh
ii  procps                1:3.2.7-11         /proc file system utilities
ii  zlib1g                1:1.2.3.3.dfsg-12  compression library - runtime

Versions of packages openssh-server recommends:
ii  openssh-blacklist-extra       0.4.1      list of non-default blacklisted Op
ii  xauth                         1:1.0.3-2  X authentication utility

Versions of packages openssh-server suggests:
pn  molly-guard                   <none>     (no description available)
pn  rssh                          <none>     (no description available)
pn  ssh-askpass                   <none>     (no description available)

-- debconf information excluded

>From d768f16e6a93ce9af395e58a8976aee0a3f2af3d Mon Sep 17 00:00:00 2001
From: Jari Aalto <jari.aalto@cante.net>
Date: Mon, 6 Apr 2009 11:31:19 +0300
Subject: [PATCH] - Add 'Match Address example' for local LAN
 - Change PermitRootLogin to 'no'.

---
 openssh-server.postinst |   14 +++++++++++++-
 1 files changed, 13 insertions(+), 1 deletions(-)
 mode change 100644 => 100755 openssh-server.postinst

diff --git a/openssh-server.postinst b/openssh-server.postinst
old mode 100644
new mode 100755
index b7ea210..0d97ea5
--- a/openssh-server.postinst
+++ b/openssh-server.postinst
@@ -303,13 +303,17 @@ create_sshdconfig() {
 
 # What ports, IPs and protocols we listen for
 Port 22
+
 # Use these options to restrict which interfaces/protocols sshd will bind to
 #ListenAddress ::
 #ListenAddress 0.0.0.0
+
 Protocol 2
+
 # HostKeys for protocol version 2
 HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_dsa_key
+
 #Privilege Separation is turned on for security
 UsePrivilegeSeparation yes
 
@@ -323,7 +327,7 @@ LogLevel INFO
 
 # Authentication:
 LoginGraceTime 120
-PermitRootLogin yes
+PermitRootLogin no
 StrictModes yes
 
 RSAAuthentication yes
@@ -332,10 +336,13 @@ PubkeyAuthentication yes
 
 # Don't read the user's ~/.rhosts and ~/.shosts files
 IgnoreRhosts yes
+
 # For this to work you will also need host keys in /etc/ssh_known_hosts
 RhostsRSAAuthentication no
+
 # similar for protocol version 2
 HostbasedAuthentication no
+
 # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
 #IgnoreUserKnownHosts yes
 
@@ -375,6 +382,11 @@ AcceptEnv LANG LC_*
 Subsystem sftp /usr/lib/openssh/sftp-server
 
 UsePAM yes
+
+# To permit root logins only in local LAN
+# Match Address 192.168.1.0/26
+#      PermitRootLogin yes
+
 EOF
 }
 
-- 
1.6.1.3

--- End Message ---

--- Begin Message ---

To: 522745-done@bugs.debian.org

Subject: Re: Bug#522745: [security] debian/openssh-server.postinst improved sshd_config

From: Colin Watson <cjwatson@debian.org>

Date: Sun, 2 Apr 2017 02:45:39 +0100

Message-id: <20170402014539.GO9002@riva.ucam.org>

In-reply-to: <87hc0znlud.fsf@jondo.cante.net>

References: <20090406083747.23333.81480.reportbug@jondo.cante.net> <20090406094900.GU25892@riva.ucam.org> <871vs5r3ur.fsf@jondo.cante.net> <20090406221219.GV25892@riva.ucam.org> <87hc0znlud.fsf@jondo.cante.net>
Source: openssh
Source-Version: 1:7.4p1-1

On Wed, Apr 08, 2009 at 07:36:58PM +0300, Jari Aalto wrote:
> Colin Watson <cjwatson@debian.org> writes:
> > > - Add 'Match Address 192.168.1.0/26' exmaple to limit root logins
> > > insode LAN
> > >   (in comments; for sysadm to enable it)
> >
> > Wouldn't this be better as an example in the manual page?
> 
> It appears that debian/openssh-server.postinst is different from the one
> sipped with the original sources:
> 
>     apt-get source openssh-server
>     cd openssh-5.1p1/
>     tail sshd_config

Indeed, that was true at that time.  I've since switched to using ucf to
manage sshd_config, so that's no longer a problem.

The score with 1:7.4p1-1 and newer relative to your original report is:

 * PermitRootLogin is now "prohibit-password" by default since
   1:6.6p1-1, matching upstream;
 * The Match example from upstream is now present;
 * Paragraph breaks in the upstream file seem broadly reasonable.

So I think it's now correct for me to close this bug report.

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]
--- End Message ---

Reply to:

Prev by Date: Bug#788745: marked as done (systemd user unit to start ssh-agent)
Next by Date: Bug#119886: openssh-server: Encountered this problem with backup-manager
Previous by thread: Bug#788745: marked as done (systemd user unit to start ssh-agent)
Next by thread: Bug#119886: openssh-server: Encountered this problem with backup-manager
Index(es):
- Date
- Thread