DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 1st February 2010
J65nko J65nko is online now
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,154
Thanked 182 Times in 149 Posts
Default FreeBSD sshd_config tips from Matthew Dillon

From a post on the freebsd security mailing list http://lists.freebsd.org/pipermail/f...ry/005546.html

Code:
:Matthew Dillon <dillon@apollo.backplane.com> writes:
:>     Just give up and turn off tunneled plaintext passwords over the
:>     network.  No (non-kerberos) telnetd, rlogind, (non anonymous) ftpd, etc.
:>     Just run sshd and put this in your sshd_config:
:>
:>      # To disable tunneled clear text passwords, change to no here!
:>      PasswordAuthentication no
:
:This does not do what you think it does.  RTFM.
:
:DES
:--
:Dag-Erling Smørgrav - des@des.no

   Here's a thought, DES.  Try acting like the professional you
   profess to be instead of the 5-year-old you clearly are.

   It looks like the defaults in FreeBSD are different, so shoot me.
   Ah, I see, YOU were the one who changed the FreeBSD defaults to be
   less secure.  Now I understand.  The OpenSSH folks give you a nice
   default-secure setting and an easy way to change it in sshd_config
   and your answer is to actually modify the base code in the contrib
   instead and turn things all around?  Shame on you.

   So, FreeBSD users, it looks like you have to play russian roulette
   with your sshd_config options if you want the directives to actually
   work.  But hey, I'm sure DES will be happy to flip you off instead
   of tell you which options will work with FreeBSD.  So I guess I'll have
   to instead.

   If you don't need PAM's extra features for your sshd access (which is
   most people) then turn PAM off in your sshd_config to work around the
   base code change that DES made.  Then the other options will work as
   intended.  And, just to be safe, also turn off the challenge-response
   option.

       UsePAM no
       ChallengeResponseAuthentication no
       PasswordAuthentication no

   There, all better.  PAM has its advantages, but only for a very small
   percentage of users.  Its disadvantage is in its complexity and the
   ease of which a mis-configuration can result in a security hole.  If
   there is no need for ssh to use it in your configuration then it
   should be turned off.

                                   -Matt
                                   Matthew Dillon
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #2   (View Single Post)  
Old 1st February 2010
vermaden's Avatar
vermaden vermaden is offline
Administrator
 
Join Date: Apr 2008
Location: pl_PL.lodz
Posts: 1,052
Thanked 118 Times in 93 Posts
Default

I have default 8.0-RELEASE isntallation here, all these options mentioned by Matthew Dillon are disabled by default:
Code:
# < /etc/ssh/sshd_config egrep "#(UsePAM|ChallengeResponseAuthentication|PasswordAuthentication)"
#PasswordAuthentication no
#ChallengeResponseAuthentication yes
#UsePAM yes
... am I missing something here?
__________________
religions, worst damnation of mankind
"If 386BSD had been available when I started on Linux, Linux would probably never had happened." Linus Torvalds

Linux is not UNIX! Face it! It is not an insult. It is fact: GNU is a recursive acronym for “GNU's Not UNIX”.
vermaden's: links resources deviantart spreadbsd
Reply With Quote
  #3   (View Single Post)  
Old 1st February 2010
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Old man from scene 24
 
Join Date: Apr 2008
Location: Eindhoven, Netherlands
Posts: 2,074
Thanked 198 Times in 156 Posts
Default

I didn't know that, I always thought FreeBSD used the OpenSSH defaults ... Apparently not ... Shame on that indeed ...
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #4   (View Single Post)  
Old 1st February 2010
J65nko J65nko is online now
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,154
Thanked 182 Times in 149 Posts
Default

Mr. Vermaden,

What do the comments at the top in sshd_config tell you?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #5   (View Single Post)  
Old 1st February 2010
vermaden's Avatar
vermaden vermaden is offline
Administrator
 
Join Date: Apr 2008
Location: pl_PL.lodz
Posts: 1,052
Thanked 118 Times in 93 Posts
Default

@J65nko

Thank you, now I understand, shame on FreeBSD ...
__________________
religions, worst damnation of mankind
"If 386BSD had been available when I started on Linux, Linux would probably never had happened." Linus Torvalds

Linux is not UNIX! Face it! It is not an insult. It is fact: GNU is a recursive acronym for “GNU's Not UNIX”.
vermaden's: links resources deviantart spreadbsd
Reply With Quote
  #6   (View Single Post)  
Old 1st February 2010
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Old man from scene 24
 
Join Date: Apr 2008
Location: Eindhoven, Netherlands
Posts: 2,074
Thanked 198 Times in 156 Posts
Default

It's even worse btw:

Code:
+#ifdef USE_PAM
+		options->password_authentication = 0;
+#else
 		options->password_authentication = 1;
+#endif
http://www.freebsd.org/cgi/cvsweb.cg...1=1.41;r2=1.42
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #7   (View Single Post)  
Old 3rd February 2010
J65nko J65nko is online now
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,154
Thanked 182 Times in 149 Posts
Default

For more developments about this issue: http://lists.freebsd.org/pipermail/f...ry/005548.html
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Tags
sshd_config

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Quick, simple tcsh tips for beginners anomie Guides 6 5th May 2008 08:07 PM


All times are GMT. The time now is 05:13 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick