Re: openssh-server's default config is dangerous

To: debian-user@lists.debian.org
Subject: Re: openssh-server's default config is dangerous
From: Reco <recoverym4n@gmail.com>
Date: Tue, 12 Jul 2016 18:34:21 +0300
Message-id: <[🔎] 20160712153418.GA22619@e1030>
In-reply-to: <[🔎] 20160712134005.GA30512@tuxteam.de>
References: <[🔎] 20160712092610.GA6945@debian> <[🔎] 20160712120532.GA15892@e1030> <[🔎] 20160712122038.GA28081@tuxteam.de> <[🔎] 20160712124503.GA16788@e1030> <[🔎] 20160712125529.GB28912@tuxteam.de> <[🔎] 20160712132438.GB16788@e1030> <[🔎] 20160712134005.GA30512@tuxteam.de>

On Tue, Jul 12, 2016 at 03:40:05PM +0200, tomas@tuxteam.de wrote:
> On Tue, Jul 12, 2016 at 04:24:41PM +0300, Reco wrote:
> > On Tue, Jul 12, 2016 at 02:55:29PM +0200, tomas@tuxteam.de wrote:
> 
> [...]
> 
> > > While it makes sense to keep a more general solution in sight, sshd
> > > is in many respects special.
> > 
> > Such as?
> 
> Hm. Given its task, it runs as root. And is designed to run arbitrary
> commands from "outside" whenever the credentials are right. In my
> view, this puts some weight on those credentials.

Indeed it does all that. But consider this:

- By its design checks for local user's password (again, it can do
  kerberos, but let's not go in there).

- Such check is done by PAM in Debian, hence it's PAM, not openssh
  should be blamed for any fallacies in password check.

- While it's certainly possible to write a custom authentication scheme
  in PAM configuration for sshd only - I don't know any Linux (or
  non-Linux) distribution which does so.

- And sshd is only one example of remote access program which is running
  with uid=0 privileges, although possibly the most common one.

Hence 'sshd allows for weak credentials' problem could be solved in more
correct way - simply prohibit setting weak passwords for any OS user,
root included.

For example, Debian could adopt RedHat approach (it would not be the
first such case after all), and force using pam_cracklib by default.


> > > And how about changing the default to "PasswordAuthentication no"?
> 
> > 2) Keypair type.
> > 
> > As of jessie stock sshd allows 6 ('ssh -Q key | grep -v cert') keypair
> > types, and of those one is secure - ed25519.
> 
> C'mon. This is just a choice of defaults which can be improved on.

By default ssh-keygen generates an rsa keypair (at least the man page
says so). It's important for compatibility with legacy systems (Solaris
comes to mind immediately), but falls into 'nothing to write home about'
category by today's standards.

Changing ssh-keygen default keypair type will require a patch for
openssh, and we're still seeing the fallout from '06 openssl Debian
patch failure ;)

Reco

Reply to:

References:
- openssh-server's default config is dangerous
  - From: mwnx <mwnx@gmx.com>
- Re: openssh-server's default config is dangerous
  - From: Reco <recoverym4n@gmail.com>
- Re: openssh-server's default config is dangerous
  - From: <tomas@tuxteam.de>
- Re: openssh-server's default config is dangerous
  - From: Reco <recoverym4n@gmail.com>
- Re: openssh-server's default config is dangerous
  - From: <tomas@tuxteam.de>
- Re: openssh-server's default config is dangerous
  - From: Reco <recoverym4n@gmail.com>
- Re: openssh-server's default config is dangerous
  - From: <tomas@tuxteam.de>

Prev by Date: Re: How to prevent /tmp files from being deleted at reboot
Next by Date: Re: How to prevent /tmp files from being deleted at reboot
Previous by thread: Re: openssh-server's default config is dangerous
Next by thread: Re: openssh-server's default config is dangerous
Index(es):
- Date
- Thread