[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: openssh-server's default config is dangerous

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Jul 12, 2016 at 08:34:33AM -0400, Dan Ritter wrote:

[...]

> The easiest thing to do is to change the default config:
> 
> create a group, sshlogin
> 
> Add root and UID 1000 (the user created at install time) to that
> group.
> 
> add this line to /etc/ssh/sshd_config:
> AllowGroup sshlogin
> 
> from man sshd_config:
> 
>   If specified, login is allowed only for users whose primary group or
>   supplementary group list matches one of the patterns.  Only group names
>   are valid; a numerical group ID is not recognized.  By default, login
>   is allowed for all groups.  The allow/deny directives are processed
>   in the following order: DenyUsers, AllowUsers, DenyGroups, and finally
>   AllowGroups.
> 
> and finally, update the documentation to reflect this. 
> 
> The downside is that this is a major change in behavior; the
> upside is that it is consistent with other things that Debian
> does.

Hmmm. This would still allow password auth for user 1000 (and root (!)).
I think OP's concern was exactly that.

My question would be... what would be the consequences of changing
those defaults? Or perhaps, of asking the user at package config
time?

regards
- -- t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAleE558ACgkQBcgs9XrR2kYmrgCfbtv1IoZWgTrLtpNl44JqEeK8
uGgAmQGuKQ/6CxeCqJbNxES4aG1e/dV4
=CqQn
-----END PGP SIGNATURE-----
Reply to: