From 1cb3a32c13b1be5bb146cb685a2edbfce5598c19 Mon Sep 17 00:00:00 2001 From: Matthew Dillon Date: Fri, 17 Mar 2017 15:47:52 -0700 Subject: [PATCH] sshd - Fix default password authentication * The default for PasswordAuthentication somehow got reverted to being enabled. * Disable PasswordAuthentication by default. * Uncomment PasswordAuthentication in the default sshd_config, defaulting to 'no', and always overriding sshd's own defaults. --- crypto/openssh/readconf.c | 2 +- crypto/openssh/sshd_config | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/crypto/openssh/readconf.c b/crypto/openssh/readconf.c index c177202b1a..d13c271007 100644 --- a/crypto/openssh/readconf.c +++ b/crypto/openssh/readconf.c @@ -1924,7 +1924,7 @@ fill_default_options(Options * options) if (options->gss_deleg_creds == -1) options->gss_deleg_creds = 0; if (options->password_authentication == -1) - options->password_authentication = 1; + options->password_authentication = 0; if (options->kbd_interactive_authentication == -1) options->kbd_interactive_authentication = 1; if (options->rhosts_rsa_authentication == -1) diff --git a/crypto/openssh/sshd_config b/crypto/openssh/sshd_config index 88def68d83..b0590c66aa 100644 --- a/crypto/openssh/sshd_config +++ b/crypto/openssh/sshd_config @@ -67,9 +67,9 @@ AuthorizedKeysFile .ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes -# Tunneled clear text passwords are disabled by default in DragonFly. -# Change to yes to get OpenSSH's default. -#PasswordAuthentication no +# Don't trust sshd defaults, make sure Tunneled clear text passwords are +# disabled in a default install. Change to yes to enable. +PasswordAuthentication no #PermitEmptyPasswords no -- 2.41.0