Bug 17286 - [FR] group wheel with PasswordAuthentication disabled by default
Summary: [FR] group wheel with PasswordAuthentication disabled by default
Status: CLOSED FIXED
Alias: None
Product: Sisyphus
Classification: Development
Component: openssh-server (show other bugs)
Version: unstable
Hardware: all Linux
: P2 enhancement
Assignee: Gleb F-Malinovskiy
QA Contact: qa-sisyphus
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-09-23 00:33 MSD by Ivan Zakharyaschev
Modified: 2010-06-23 11:20 MSD (History)
8 users (show)

See Also:


Attachments
sshd_config-wheel-without-password.diff (1.91 KB, patch)
2008-09-23 00:33 MSD, Ivan Zakharyaschev
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ivan Zakharyaschev 2008-09-23 00:33:48 MSD
Created attachment 2943 [details]
sshd_config-wheel-without-password.diff

openssh-server-4.7p1-alt1

I suggest a more secure default configuration for consideration:

Match Group wheel
    PasswordAuthentication no

It continues the logic of the default "PermitRootLogin without-password": it disables the login with password for group wheel. The drawback is that it might irritate some users who are in the group wheel, if their systems are not exposed to the corresponding dangers (of guessing the password for known usernames by intruders).

If it is decided that this configuration is not appropriate as a default, it could still be exposed in comments or as an option in the default configuration tool (alterator?) in order to be of some use.
Comment 1 Michael Shigorin 2010-06-23 02:52:55 MSD
(In reply to comment #0)
> I suggest a more secure default configuration for consideration:
I object to this being a default, and strongly object to changing such a default without prior public debate.

> If it is decided that this configuration is not appropriate as a default, it
> could still be exposed in comments
Definitely.

> or as an option in the default configuration
> tool (alterator?) in order to be of some use.
control(8) I believe.
Comment 2 Repository Robot 2010-06-23 02:57:09 MSD
openssh-5.3p1-alt2 -> sisyphus:

* Wed Jun 23 2010 Dmitry V. Levin <ldv@altlinux> 5.3p1-alt2
- Enabled sftp by default.
- /etc/pam.d/sshd: Changed to use common-login.
- sshd_config: Disabled PasswordAuthentication for "wheel" group
  members (imz@; closes: #17286).
Comment 3 Sergey Y. Afonin 2010-06-23 11:20:41 MSD
Hm... What about another way ?

https://bugzilla.altlinux.org/show_bug.cgi?id=11669