Re: openssh-server's default config is dangerous
On Tue, Jul 12, 2016 at 02:20:38PM +0200, tomas@tuxteam.de wrote:
> On Tue, Jul 12, 2016 at 03:05:35PM +0300, Reco wrote:
> > Hi.
> >
> > On Tue, Jul 12, 2016 at 11:26:10AM +0200, mwnx wrote:
> > > Currently, after installing openssh-server, anyone can gain access
> > > to any user's account on the system using only the corresponding
> > > user's password. As we know, people do not necessarily use the most
> > > secure of passwords. This will especially be the case if the user
> > > does not expect his computer to be accessible in any way from the
> > > outside.
> >
> > So, you're blaming a perfectly good (and reasonably secure) way of
> > remote access, but somehow assume that weak passwords are ok.
> > By that logic you should not stop there. Why not blame any remote access
> > mechanism that uses PAM for password checking as well?
>
> I still think the OP has a point. I don't know how a solution might look
> which makes sense (a default config with password disabled seems a bit
> strong, TBH), but IMHO it's worth thinking about the problem instead
> of dismissing it off-hand.
The easiest thing to do is to change the default config:
create a group, sshlogin
Add root and UID 1000 (the user created at install time) to that
group.
add this line to /etc/ssh/sshd_config:
AllowGroup sshlogin
from man sshd_config:
If specified, login is allowed only for users whose primary group or
supplementary group list matches one of the patterns. Only group names
are valid; a numerical group ID is not recognized. By default, login
is allowed for all groups. The allow/deny directives are processed
in the following order: DenyUsers, AllowUsers, DenyGroups, and finally
AllowGroups.
and finally, update the documentation to reflect this.
The downside is that this is a major change in behavior; the
upside is that it is consistent with other things that Debian
does.
-dsr-
Reply to: