Re: openssh-server's default config is dangerous
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, Jul 12, 2016 at 08:34:33AM -0400, Dan Ritter wrote:
[...]
> The easiest thing to do is to change the default config:
>
> create a group, sshlogin
>
> Add root and UID 1000 (the user created at install time) to that
> group.
>
> add this line to /etc/ssh/sshd_config:
> AllowGroup sshlogin
>
> from man sshd_config:
>
> If specified, login is allowed only for users whose primary group or
> supplementary group list matches one of the patterns. Only group names
> are valid; a numerical group ID is not recognized. By default, login
> is allowed for all groups. The allow/deny directives are processed
> in the following order: DenyUsers, AllowUsers, DenyGroups, and finally
> AllowGroups.
>
> and finally, update the documentation to reflect this.
>
> The downside is that this is a major change in behavior; the
> upside is that it is consistent with other things that Debian
> does.
Hmmm. This would still allow password auth for user 1000 (and root (!)).
I think OP's concern was exactly that.
My question would be... what would be the consequences of changing
those defaults? Or perhaps, of asking the user at package config
time?
regards
- -- t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAleE558ACgkQBcgs9XrR2kYmrgCfbtv1IoZWgTrLtpNl44JqEeK8
uGgAmQGuKQ/6CxeCqJbNxES4aG1e/dV4
=CqQn
-----END PGP SIGNATURE-----
Reply to: