From a2fe50b040a514cfa4e6937a87093be6ca0c8693 Mon Sep 17 00:00:00 2001 From: Matthew Dillon Date: Wed, 3 Feb 2010 10:24:36 -0800 Subject: [PATCH] sshd - Add safety measures to the default installed sshd_config * Uncomment various sshd_config options to enforce their defaults. This does not make any changes to the current defaults but ensures that the configuration state for these particular options will not change if the default happens to be changed in the distributed codebase. RhostsRSAAuthentication no HostbasedAuthentication no IgnoreRhosts yes * Change the ChallengeResponseAuthentication default from 'yes' to 'no'. This only applies to PAM and PAM is disabled by default so this change has no effect unless PAM is enabled by default at some future time. * For now leave UsePAM commented out, do not enforce its default 'no' state. The changes above will make it safe if the codebase default changes in the future. The codebase default is currently 'no'. * Note that we previously also changed the PasswordAuthentication default to 'no', so everything is on the same page now. Suggested-by: Doug Barton (generally) --- crypto/openssh/sshd_config | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/crypto/openssh/sshd_config b/crypto/openssh/sshd_config index b85864b469..62489a7d14 100644 --- a/crypto/openssh/sshd_config +++ b/crypto/openssh/sshd_config @@ -56,22 +56,24 @@ PermitRootLogin without-password #AuthorizedKeysFile .ssh/authorized_keys # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts -#RhostsRSAAuthentication no +RhostsRSAAuthentication no # similar for protocol version 2 -#HostbasedAuthentication no +HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files -#IgnoreRhosts yes +IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! # We disable cleartext passwords by default PasswordAuthentication no #PermitEmptyPasswords no -# Change to no to disable PAM authentication -#ChallengeResponseAuthentication yes +# Change to no to disable s/key and tunneled clear-text passwords +# when PAM is enabled. We disable this by default. Note that +# PAM is also disabled by default. +ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no -- 2.41.0