Re: openssh-server's default config is dangerous
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, Jul 12, 2016 at 03:45:06PM +0300, Reco wrote:
> On Tue, Jul 12, 2016 at 02:20:38PM +0200, tomas@tuxteam.de wrote:
> > I still think the OP has a point. [...]
> I can think of several 'solutions for the problem', but most of them are
> either unrealistic or redundant:
>
> 1) Change Debian Policy which mandates starting a daemon on package
> install.
I think this is the wrong alley: Making this a problem of "all daemons"
renders the problem practically intractable.
While it makes sense to keep a more general solution in sight, sshd
is in many respects special.
> 2) Add 'AllowGroups ssh' to the stock sshd_config.
>
> 3) Add a debconf template to openssh-server package which allows to
> choose local users for 'AllowUsers' stanza of sshd_config.
>
> 4) Block all incoming connections to tcp port 22 by default.
And how about changing the default to "PasswordAuthentication no"?
regards
- -- t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAleE6MEACgkQBcgs9XrR2kbj1wCfZ4b+s3JyR/LdySApPMKQsAxU
UZwAnR1vcj9CdMAf0RQG0A1iBaiRPFd+
=q1//
-----END PGP SIGNATURE-----
Reply to: