[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: openssh-server's default config is dangerous

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, Jul 12, 2016 at 09:02:23AM -0400, Stefan Monnier wrote:
> > That weak passwords are a problem in themselves or that other services
> > get started right away after install too is irrelevant to the point
> > made -- again IMHO.
> 
> Reminds me of a need I couldn't conveniently satisfy: allow known weak
> passwords on some specific user accounts but make sure you can not use
> them remotely (in my case I only wanted to allow GDM logins for them).
> 
> E.g. make it so that sshd only lets you login if your user is in the
> "ssh-able" group or some such, just like we do for sudo.

I think that is what AllowGroups and DenyGroups (and their twins
- -Users) in the sshd_config are for.

Some proposals in this thread go in that direction.

regards
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAleE64AACgkQBcgs9XrR2kZGowCfVcYyJycfRzPAx6DilG5Rha5A
RnYAnRmQeH5VcjTUHCG1pBL01fMyosxI
=j+xi
-----END PGP SIGNATURE-----
Reply to: