From 4bde49b71e31daca1872f938e6f2c2e132cbc396 Mon Sep 17 00:00:00 2001 From: Peter Avalos Date: Sat, 13 Aug 2016 13:49:59 -0700 Subject: [PATCH] sshd(8): Disable tunneled cleartext passwords. This was previously our default that got wiped away when I removed our local changes to OpenSSH. It's unlikely that anyone running master saw any change to their sshd behavior, because they likely had the PasswordAuthentication line uncommented in their configuration file. --- crypto/openssh/README.DRAGONFLY | 1 + crypto/openssh/servconf.c | 2 +- crypto/openssh/sshd_config | 10 +++++++--- crypto/openssh/sshd_config.5 | 4 ++-- crypto/openssh/version.h | 2 ++ 5 files changed, 13 insertions(+), 6 deletions(-) diff --git a/crypto/openssh/README.DRAGONFLY b/crypto/openssh/README.DRAGONFLY index bd1be26570..d36eb1ebff 100644 --- a/crypto/openssh/README.DRAGONFLY +++ b/crypto/openssh/README.DRAGONFLY @@ -8,6 +8,7 @@ Upgrading notes: --with-pam --with-libedit --with-ssl-engine Update config.h in secure/lib/libssh. +Update version in sshd_config, sshd_config.5, version.h. Used in: lib/pam_module/pam_ssh/ diff --git a/crypto/openssh/servconf.c b/crypto/openssh/servconf.c index 873b0d02a0..93976908cf 100644 --- a/crypto/openssh/servconf.c +++ b/crypto/openssh/servconf.c @@ -346,7 +346,7 @@ fill_default_server_options(ServerOptions *options) if (options->ip_qos_bulk == -1) options->ip_qos_bulk = IPTOS_THROUGHPUT; if (options->version_addendum == NULL) - options->version_addendum = xstrdup(""); + options->version_addendum = xstrdup(SSH_VERSION_DRAGONFLY); if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1) options->fwd_opts.streamlocal_bind_mask = 0177; if (options->fwd_opts.streamlocal_bind_unlink == -1) diff --git a/crypto/openssh/sshd_config b/crypto/openssh/sshd_config index 75ae8e739b..88def68d83 100644 --- a/crypto/openssh/sshd_config +++ b/crypto/openssh/sshd_config @@ -67,8 +67,10 @@ AuthorizedKeysFile .ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes -# To disable tunneled clear text passwords, change to no here! -#PasswordAuthentication yes +# Tunneled clear text passwords are disabled by default in DragonFly. +# Change to yes to get OpenSSH's default. +#PasswordAuthentication no + #PermitEmptyPasswords no # Change to no to disable s/key passwords @@ -116,7 +118,9 @@ AuthorizedKeysFile .ssh/authorized_keys #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none -#VersionAddendum none + +# DragonFly has different defaults than OpenSSH. +#VersionAddendum DragonFly-20160813 # no default banner path #Banner none diff --git a/crypto/openssh/sshd_config.5 b/crypto/openssh/sshd_config.5 index 4310e09def..d28abe434f 100644 --- a/crypto/openssh/sshd_config.5 +++ b/crypto/openssh/sshd_config.5 @@ -1180,7 +1180,7 @@ are refused if the number of unauthenticated connections reaches .It Cm PasswordAuthentication Specifies whether password authentication is allowed. The default is -.Dq yes . +.Dq no . Note that if .Cm ChallengeResponseAuthentication is @@ -1638,7 +1638,7 @@ The default is Optionally specifies additional text to append to the SSH protocol banner sent by the server upon connection. The default is -.Dq none . +.Dq DragonFly-20160813 . .It Cm X11DisplayOffset Specifies the first display number available for .Xr sshd 8 Ns 's diff --git a/crypto/openssh/version.h b/crypto/openssh/version.h index 617ab62ad2..5516c45ecd 100644 --- a/crypto/openssh/version.h +++ b/crypto/openssh/version.h @@ -4,3 +4,5 @@ #define SSH_PORTABLE "p1" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE + +#define SSH_VERSION_DRAGONFLY "DragonFly-20160813" -- 2.41.0