17286 2008-09-23 00:33:48 +0400 [FR] group wheel with PasswordAuthentication disabled by default 2010-06-23 11:20:41 +0400 1 1 4 Development Sisyphus openssh-server unstable all Linux CLOSED FIXED P2 enhancement --- 1 imz glebfm aen asy cas glebfm ldv mike vitty vt qa-sisyphus oldest_to_newest 78455 0 2943 imz 2008-09-23 00:33:48 +0400 Created attachment 2943 sshd_config-wheel-without-password.diff openssh-server-4.7p1-alt1 I suggest a more secure default configuration for consideration: Match Group wheel PasswordAuthentication no It continues the logic of the default "PermitRootLogin without-password": it disables the login with password for group wheel. The drawback is that it might irritate some users who are in the group wheel, if their systems are not exposed to the corresponding dangers (of guessing the password for known usernames by intruders). If it is decided that this configuration is not appropriate as a default, it could still be exposed in comments or as an option in the default configuration tool (alterator?) in order to be of some use. 110034 1 mike 2010-06-23 02:52:55 +0400 (In reply to comment #0) > I suggest a more secure default configuration for consideration: I object to this being a default, and strongly object to changing such a default without prior public debate. > If it is decided that this configuration is not appropriate as a default, it > could still be exposed in comments Definitely. > or as an option in the default configuration > tool (alterator?) in order to be of some use. control(8) I believe. 110035 2 repository-robot 2010-06-23 02:57:09 +0400 openssh-5.3p1-alt2 -> sisyphus: * Wed Jun 23 2010 Dmitry V. Levin <ldv@altlinux> 5.3p1-alt2 - Enabled sftp by default. - /etc/pam.d/sshd: Changed to use common-login. - sshd_config: Disabled PasswordAuthentication for "wheel" group members (imz@; closes: #17286). 110044 3 asy 2010-06-23 11:20:41 +0400 Hm... What about another way ? https://bugzilla.altlinux.org/show_bug.cgi?id=11669 2943 2008-09-23 00:33:48 +0400 2008-09-23 00:33:48 +0400 sshd_config-wheel-without-password.diff sshd_config-wheel-without-password.diff text/plain 1951 imz SSB3YXNuJ3QgaGFwcHkgd2l0aCB0aGUgaWRlYSB0aGF0IGFuIGludHJ1ZGVyIGZyb20gdGhlIElu dGVybmV0IGNvdWxkCmdldCByb290IGluIHRoaXMgc3lzdGVtIGJ5IHBhc3N3b3JkLWd1ZXNzaW5n LgoKV2VsbCwgb25lLXN0ZXAgcGFzc3dvcmQgZ3Vlc3NpbmcgaXMgZXhjbHVkZWQgYnkgdGhlICJ3 aXRob3V0LXBhc3N3b3JkIgpwb2xpY3kgZm9yIFBlcm1pdFJvb3RMb2dpbi4gQnV0IHR3by1zdGVw IHBhc3N3b3JkLWd1ZXNzaW5nIHdhcyBzdGlsbApwb3NzaWJsZSB2aWEgYSB1c2VyIGZyb20gdGhl IGdyb3VwIHdoZWVsLiBUbyBzdHJlbmd0aGVuIHRoZSBzZWN1cml0eQpieSBleGNsdWRpbmcgdGhp cyBwb3NzaWJpbGl0eSwgSSBtYWRlIHRoZSBjb25maWd1cmF0aW9uIGJlbG93LgoKVGhlIGVmZmVj dCBvZiB0aGF0IGRpcmVjdGl2ZSBpcyBub3QgZXhhY3RseSB0aGUgc2FtZSBhcyBvZiAKIlBlcm1p dFJvb3RMb2dpbiB3aXRob3V0LXBhc3N3b3JkIjogdW5kZXIgdGhlICJ3aXRob3V0LXBhc3N3b3Jk Igpwb2xpY3ksIHRoZSBwYXNzd29yZCBpcyBzdGlsbCByZXF1ZXN0ZWQgb24gbG9naW4gYXR0ZW1w dHMsIGJ1dCB0aGUKbG9naW4gc2ltcGx5IG5ldmVyIHN1Y2NlZWRzIHdpdGggYSBwYXNzd29yZC4g VW5kZXIgdGhlIAoiUGFzc3dvcmRBdXRoZW50aWNhdGlvbiBubyIgc2V0dXAsIHRoZSBwYXNzd29y ZCBtZXRob2QgaXMgbm90IApzdWdnZXN0ZWQgb24gYSBsb2dpbiBhdHRlbXB0IGF0IGFsbCBmb3Ig dGhlIGdyb3VwIHdoZWVsLgoKT25lIHNpZGUtZWZmZWN0IG9mIHRoaXMgY29uZmlndXJhdGlvbiBp cyB0aGF0IHRoZSBwYXNzd29yZCBpcyBub3QKcmVxdWVzdGVkIGZvciByb290IGFzIHdlbGwgYW55 bW9yZSAoaWYgcm9vdCBpcyBpbiBncm91cCB3aGVlbCkuIFNvLAp0aGlzIGNvbmZpZ3VyYXRpb24g d291bGQgdW5mb3J0dW5hdGVseSBkaXNjbG9zZSBzb21lIGJpdHMgb2YgCmluZm9ybWF0aW9uIGFi b3V0IHRoZSByZWFsIGNvbmZpZ3VyYXRpb24gb2Ygc3NoZC4KCklmIHRoaXMgY29uZmlndXJhdGlv biBpcyBtYWRlIHRoZSBkZWZhdWx0LCB0aGVyZSBpcyBhIGRyYXdiYWNrIGZvcgp1c2VycyBvZiAi cGVyc29uYWwiIGNvbXB1dGVycyB3aGljaCB3aWxsIG5ldmVyIGJlIGV4cG9zZWQgdG8gSW50ZXJu ZXQ6CmluIHRoZWlyIGxvY2FsIHJlbGF0aXZlbHkgc2FmZSBuZXRzLCB0aGUgdXNlcnMgZnJvbSB0 aGUgZ3JvdXAgd2hlZWwgd2lsbCAKcHJvYmFibHkgYmUgaXJyaXRhdGVkIGJ5IHRoZSBpbXBvc3Np YmlsaXR5IHRvIGxvZyBpbiB3aXRoIGEgcGFzc3dvcmQuIApCdXQgdGhpcyB0aGluZyBjYW4gYmUg Y29uZmlndXJhYmxlIHRocm91Z2ggdGhlIGNvbmZpZ3VyYXRpb24gdG9vbCAoYWx0ZXJhdG9yPykK dXNlZCB0byB0dXJuIHNzaGQgb24gKGJ5IGRlZmF1bHQsIHNzaGQgaXMgdHVybmVkIG9mZiBpbiwg c2F5LCBBTFQgTGl0ZSA0LjAuMykuCgppbXogYXQgYWx0bGludXgub3JnLgoKLS0tIHNzaGRfY29u ZmlnLmZhY3RvcnkJMjAwOC0wOS0yMiAyMjoxNDoxOCArMDQwMAorKysgc3NoZF9jb25maWcJMjAw OC0wOS0yMiAyMjoyMzozNiArMDQwMApAQCAtMzUsNiArMzUsNyBAQAogCiAjTG9naW5HcmFjZVRp bWUgMm0KICNQZXJtaXRSb290TG9naW4gd2l0aG91dC1wYXNzd29yZAorIyAtLSB0aGlzIHBvbGlj eSBpcyBleHRlbmRlZCB0byBncm91cCB3aGVlbCAoc2VlIGEgTWF0Y2ggYmVsb3cpLgogI1N0cmlj dE1vZGVzIHllcwogI01heEF1dGhUcmllcyA2CiAKQEAgLTExNSwzICsxMTYsNyBAQAogIwlYMTFG b3J3YXJkaW5nIHllcwogIwlBbGxvd1RjcEZvcndhcmRpbmcgbm8KICMJRm9yY2VDb21tYW5kIGN2 cyBzZXJ2ZXIKKworIyBBbiBleHRlbnNpb24gb2YgdGhlIHBvbGljeSAiUGVybWl0Um9vdExvZ2lu IHdpdGhvdXQtcGFzc3dvcmQiOgorTWF0Y2ggR3JvdXAgd2hlZWwKKyAgICBQYXNzd29yZEF1dGhl bnRpY2F0aW9uIG5vCg==