[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: openssh-server's default config is dangerous

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Jul 12, 2016 at 03:45:06PM +0300, Reco wrote:
> On Tue, Jul 12, 2016 at 02:20:38PM +0200, tomas@tuxteam.de wrote:
> > I still think the OP has a point. [...]

> I can think of several 'solutions for the problem', but most of them are
> either unrealistic or redundant:
> 
> 1) Change Debian Policy which mandates starting a daemon on package
> install.

I think this is the wrong alley: Making this a problem of "all daemons"
renders the problem practically intractable.

While it makes sense to keep a more general solution in sight, sshd
is in many respects special.

> 2) Add 'AllowGroups ssh' to the stock sshd_config.
> 
> 3) Add a debconf template to openssh-server package which allows to
> choose local users for 'AllowUsers' stanza of sshd_config.
> 
> 4) Block all incoming connections to tcp port 22 by default.

And how about changing the default to "PasswordAuthentication no"?

regards
- -- t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAleE6MEACgkQBcgs9XrR2kbj1wCfZ4b+s3JyR/LdySApPMKQsAxU
UZwAnR1vcj9CdMAf0RQG0A1iBaiRPFd+
=q1//
-----END PGP SIGNATURE-----
Reply to: