View Single Post
  #1   (View Single Post)  
Old 1st February 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default FreeBSD sshd_config tips from Matthew Dillon

From a post on the freebsd security mailing list http://lists.freebsd.org/pipermail/f...ry/005546.html

Code:
:Matthew Dillon <dillon@apollo.backplane.com> writes:
:>     Just give up and turn off tunneled plaintext passwords over the
:>     network.  No (non-kerberos) telnetd, rlogind, (non anonymous) ftpd, etc.
:>     Just run sshd and put this in your sshd_config:
:>
:>      # To disable tunneled clear text passwords, change to no here!
:>      PasswordAuthentication no
:
:This does not do what you think it does.  RTFM.
:
:DES
:--
:Dag-Erling Smørgrav - des@des.no

   Here's a thought, DES.  Try acting like the professional you
   profess to be instead of the 5-year-old you clearly are.

   It looks like the defaults in FreeBSD are different, so shoot me.
   Ah, I see, YOU were the one who changed the FreeBSD defaults to be
   less secure.  Now I understand.  The OpenSSH folks give you a nice
   default-secure setting and an easy way to change it in sshd_config
   and your answer is to actually modify the base code in the contrib
   instead and turn things all around?  Shame on you.

   So, FreeBSD users, it looks like you have to play russian roulette
   with your sshd_config options if you want the directives to actually
   work.  But hey, I'm sure DES will be happy to flip you off instead
   of tell you which options will work with FreeBSD.  So I guess I'll have
   to instead.

   If you don't need PAM's extra features for your sshd access (which is
   most people) then turn PAM off in your sshd_config to work around the
   base code change that DES made.  Then the other options will work as
   intended.  And, just to be safe, also turn off the challenge-response
   option.

       UsePAM no
       ChallengeResponseAuthentication no
       PasswordAuthentication no

   There, all better.  PAM has its advantages, but only for a very small
   percentage of users.  Its disadvantage is in its complexity and the
   ease of which a mis-configuration can result in a security hole.  If
   there is no need for ssh to use it in your configuration then it
   should be turned off.

                                   -Matt
                                   Matthew Dillon
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote