|
FreeBSD Security Securing FreeBSD. |
|
Thread Tools | Display Modes |
|
|||
FreeBSD sshd_config tips from Matthew Dillon
From a post on the freebsd security mailing list http://lists.freebsd.org/pipermail/f...ry/005546.html
Code:
:Matthew Dillon <dillon@apollo.backplane.com> writes: :> Just give up and turn off tunneled plaintext passwords over the :> network. No (non-kerberos) telnetd, rlogind, (non anonymous) ftpd, etc. :> Just run sshd and put this in your sshd_config: :> :> # To disable tunneled clear text passwords, change to no here! :> PasswordAuthentication no : :This does not do what you think it does. RTFM. : :DES :-- :Dag-Erling Smørgrav - des@des.no Here's a thought, DES. Try acting like the professional you profess to be instead of the 5-year-old you clearly are. It looks like the defaults in FreeBSD are different, so shoot me. Ah, I see, YOU were the one who changed the FreeBSD defaults to be less secure. Now I understand. The OpenSSH folks give you a nice default-secure setting and an easy way to change it in sshd_config and your answer is to actually modify the base code in the contrib instead and turn things all around? Shame on you. So, FreeBSD users, it looks like you have to play russian roulette with your sshd_config options if you want the directives to actually work. But hey, I'm sure DES will be happy to flip you off instead of tell you which options will work with FreeBSD. So I guess I'll have to instead. If you don't need PAM's extra features for your sshd access (which is most people) then turn PAM off in your sshd_config to work around the base code change that DES made. Then the other options will work as intended. And, just to be safe, also turn off the challenge-response option. UsePAM no ChallengeResponseAuthentication no PasswordAuthentication no There, all better. PAM has its advantages, but only for a very small percentage of users. Its disadvantage is in its complexity and the ease of which a mis-configuration can result in a security hole. If there is no need for ssh to use it in your configuration then it should be turned off. -Matt Matthew Dillon
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
||||
I have default 8.0-RELEASE isntallation here, all these options mentioned by Matthew Dillon are disabled by default:
Code:
# < /etc/ssh/sshd_config egrep "#(UsePAM|ChallengeResponseAuthentication|PasswordAuthentication)" #PasswordAuthentication no #ChallengeResponseAuthentication yes #UsePAM yes
__________________
religions, worst damnation of mankind "If 386BSD had been available when I started on Linux, Linux would probably never had happened." Linus Torvalds Linux is not UNIX! Face it! It is not an insult. It is fact: GNU is a recursive acronym for “GNU's Not UNIX”. vermaden's: links resources deviantart spreadbsd |
|
|||
Mr. Vermaden,
What do the comments at the top in sshd_config tell you?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
||||
@J65nko
Thank you, now I understand, shame on FreeBSD ...
__________________
religions, worst damnation of mankind "If 386BSD had been available when I started on Linux, Linux would probably never had happened." Linus Torvalds Linux is not UNIX! Face it! It is not an insult. It is fact: GNU is a recursive acronym for “GNU's Not UNIX”. vermaden's: links resources deviantart spreadbsd |
|
||||
It's even worse btw:
Code:
+#ifdef USE_PAM + options->password_authentication = 0; +#else options->password_authentication = 1; +#endif
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things. |
|
|||
For more developments about this issue: http://lists.freebsd.org/pipermail/f...ry/005548.html
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
Tags |
sshd_config |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Quick, simple tcsh tips for beginners | anomie | Guides | 9 | 6th November 2014 03:55 PM |