ALT Linux Bugzilla
– Attachment 2943 Details for
Bug 17286
[FR] group wheel with PasswordAuthentication disabled by default
New bug
|
Search
|
[?]
|
Help
Register
|
Log In
[x]
|
Forgot Password
Login:
[x]
|
EN
|
RU
[patch]
sshd_config-wheel-without-password.diff
sshd_config-wheel-without-password.diff (text/plain), 1.91 KB, created by
Ivan Zakharyaschev
on 2008-09-23 00:33:48 MSD
(
hide
)
Description:
sshd_config-wheel-without-password.diff
Filename:
MIME Type:
Creator:
Ivan Zakharyaschev
Created:
2008-09-23 00:33:48 MSD
Size:
1.91 KB
patch
obsolete
>I wasn't happy with the idea that an intruder from the Internet could >get root in this system by password-guessing. > >Well, one-step password guessing is excluded by the "without-password" >policy for PermitRootLogin. But two-step password-guessing was still >possible via a user from the group wheel. To strengthen the security >by excluding this possibility, I made the configuration below. > >The effect of that directive is not exactly the same as of >"PermitRootLogin without-password": under the "without-password" >policy, the password is still requested on login attempts, but the >login simply never succeeds with a password. Under the >"PasswordAuthentication no" setup, the password method is not >suggested on a login attempt at all for the group wheel. > >One side-effect of this configuration is that the password is not >requested for root as well anymore (if root is in group wheel). So, >this configuration would unfortunately disclose some bits of >information about the real configuration of sshd. > >If this configuration is made the default, there is a drawback for >users of "personal" computers which will never be exposed to Internet: >in their local relatively safe nets, the users from the group wheel will >probably be irritated by the impossibility to log in with a password. >But this thing can be configurable through the configuration tool (alterator?) >used to turn sshd on (by default, sshd is turned off in, say, ALT Lite 4.0.3). > >imz at altlinux.org. > >--- sshd_config.factory 2008-09-22 22:14:18 +0400 >+++ sshd_config 2008-09-22 22:23:36 +0400 >@@ -35,6 +35,7 @@ > > #LoginGraceTime 2m > #PermitRootLogin without-password >+# -- this policy is extended to group wheel (see a Match below). > #StrictModes yes > #MaxAuthTries 6 > >@@ -115,3 +116,7 @@ > # X11Forwarding yes > # AllowTcpForwarding no > # ForceCommand cvs server >+ >+# An extension of the policy "PermitRootLogin without-password": >+Match Group wheel >+ PasswordAuthentication no
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2943">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 17286
: 2943
