Re: openssh-server's default config is dangerous
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Tue, Jul 12, 2016 at 04:24:41PM +0300, Reco wrote:
> On Tue, Jul 12, 2016 at 02:55:29PM +0200, tomas@tuxteam.de wrote:
[...]
> > While it makes sense to keep a more general solution in sight, sshd
> > is in many respects special.
>
> Such as?
Hm. Given its task, it runs as root. And is designed to run arbitrary
commands from "outside" whenever the credentials are right. In my
view, this puts some weight on those credentials.
[...]
> > And how about changing the default to "PasswordAuthentication no"?
>
> There are several things that can go wrong here:
>
> 1) Headless systems.
>
> PasswordAuthentication=no implies providing either public key or
> certificate to the host (let's not go into kerberos-based setups for now).
> Doing so via preseed file during the install is tricky, doing so after
> the install would require a serial console or physical access to the
> local storage. To sum it up - a complication at best.
Absolutely. That's why I wouldn't propose to do it right away, but to
*think* about it. In my workflow, for example (I always use keys whenever
I have any say on the server) is to do ssh-copy-id to the server; this
only works if, for this very first time, there's another way of auth!
And think Lisi, who in the other post says she isn't using keys: whatever
solution must not make her life unnecessarily more difficult.
So this can only be part of a solution, if at all. I know that.
> 2) Keypair type.
>
> As of jessie stock sshd allows 6 ('ssh -Q key | grep -v cert') keypair
> types, and of those one is secure - ed25519.
C'mon. This is just a choice of defaults which can be improved on.
Regards
- -- tomás
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAleE8zUACgkQBcgs9XrR2kam+wCfZmmjRdrKpDAMOL1qsjdnL8OC
QGAAn0F10F147jXxySn5NjBwVLtC3Irs
=yDXS
-----END PGP SIGNATURE-----
Reply to: