Re: Pb update SSH

To: debian-user-french@lists.debian.org
Subject: Re: Pb update SSH
From: frederic massot <frederic@juliana-multimedia.com>
Date: Wed, 26 Jun 2002 15:06:27 +0200
Message-id: <[🔎] 3D19BC53.5659DBF0@juliana-multimedia.com>
References: <[🔎] 3D199D25.43FF565F@juliana-multimedia.com> <[🔎] 20020626105447.GA12981@mail.satori.kicks-ass.net> <[🔎] 36356.62.23.92.154.1025094852.squirrel@www.floc.net> <[🔎] 37109.62.23.92.154.1025095014.squirrel@www.floc.net>

Alain Tesio wrote:
> 
> Aussi regardes les commentaires du dernier thread sur
> DebianPlanet, il semble que l'update change la config
> de sshd sur potato et autorise un login root.
> 

Oui, le login root est autorisé. Le mainteneur de ssh en a decidé ainsi
suite à une longue discution, il clot tous les rapports de bug se
rapportant à cette fonctionnalité.

Cf : /usr/share/doc/ssh/README.Debian.gz

PermitRootLogin set to yes
--------------------------

This is now the default setting (in line with upstream), and people
who asked for an automatically-generated configuration file when
upgrading from potato (or on a new install) will have this setting in
their /etc/ssh/sshd_config file.

Should you wish to change this setting, edit /etc/ssh/sshd_config, and
change:
PermitRootLogin yes
to:
PermitRootLogin no

Having PermitRootLogin set to yes means that an attacker that knows
the root password can ssh in directly (without having to go via a user
account). If you set it to no, then they must compromise a normal user
account. In the vast majority of cases, this does not give added
security; remember that any account you su to root from is equivalent
to root - compromising this account gives an attacker access to root
easily. If you only ever log in as root from the physical console,
then you probably want to set this value to no.

As an aside, PermitRootLogin can also be set to "without-password" or
"forced-commands-only" - see sshd(8) for more details.

DO NOT FILE BUG REPORTS SAYING YOU THINK THIS DEFAULT IS INCORRECT!

The argument above is somewhat condensed; I have had this discussion
at great length with many people. If you think the default is
incorrect, and feel strongly enough to want to argue with me about it,
then send me email to matthew@debian.org. I will close bug reports
claiming the default is incorrect.

Dernière chose qui ma surpris, j'ai pu me connecter à une machine (sur
laquelle j'ai un compte) avec un login d'un utilisateur ayant
"/bin/false" comme shell. Je suis arrivé dans mon repertoire home. Ce
qui m'a fais ajouter dans le fichier "/etc/pam.d/ssh" la ligne :

auth  required  pam_shells.so

Une autre personne peut-elle tester ?
-- 
==============================================
|              FREDERIC MASSOT               |
|     http://www.juliana-multimedia.com      |
|   mailto:frederic@juliana-multimedia.com   |
===========================Debian=GNU/Linux===

-- 
To UNSUBSCRIBE, email to debian-user-french-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

References:
- Pb update SSH
  - From: frederic massot <frederic@juliana-multimedia.com>
- Re: Pb update SSH
  - From: Hervé <linuxloader@wanadoo.fr>
- Re: Pb update SSH
  - From: "Alain Tesio" <alain@onesite.org>
- Re: Pb update SSH
  - From: "Alain Tesio" <alain@onesite.org>

Prev by Date: Re: delai lancement startx et networking
Next by Date: Re: Pb update SSH
Previous by thread: Re: Pb update SSH
Next by thread: Plus de galeon dans la woody ?
Index(es):
- Date
- Thread