Re: User-specific sshd_config?

This is a discussion on Re: User-specific sshd_config? within the OpenSSH Development forums, part of the Networking and Network Related category; --===============0776008179== Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature" --=-=-= Thanks for the ...


Go Back   Usenet Forums > Networking and Network Related > OpenSSH Development

Reload this Page Re: User-specific sshd_config?

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 04-04-2008
Daniel Kahn Gillmor
 
Posts: n/a
Default Re: User-specific sshd_config?
--===============0776008179==
Content-Type: multipart/signed; boundary="=-=-=";
micalg=pgp-sha1; protocol="application/pgp-signature"

--=-=-=

Thanks for the security rundown, Jim!

On Fri 2008-04-04 12:55:26 -0400, Jim Knoble wrote:

> If you're attempting to restrict a user to only pubkey
> authentication so that you can use authorized_keys to control what
> the user may do, then you should pay particular attention to the
> *Authentication directives:
>
> PubkeyAuthentication yes
> PasswordAuthentication no
> ChallengeResponseAuthentication no
> HostbasedAuthentication no
> KerberosAuthentication no
> GSSAPIAuthentication no
> UsePAM no

You should also pay attention to KbdInteractiveAuthentication.

Also, if you've locked down the *Authentication directives, there
should be no reason to "UsePAM no". In fact, depending on PAM
configs, setting "UsePAM no" could open the system to undesirable
access. This is because PAM session and account modules can be used
to deny access (e.g. the pam_require module [0]), and these checks
won't be applied if SSH declines to consult the PAM stack.

Happy Hacking,

--dkg

[0] http://www.splitbrain.org/projects/pam_require

--=-=-=
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQIVAwUBR/ZxdMzS7ZTSFznpAQKjEQ//a5re+yOyL0RR+dYn+zh20iOkx2L8eKXw
0bbqSkAsieKaQS3+G0OXypZtLZJVxKYAHr7HKmJayJrA0O3rur NkSIWgACsQZ9j8
zGSOtHUd0VE2fr0shva81eZiPjvBHknTT96ZAJxauWMha51jFK Sw9rIn9iGzkP3O
s6CQn5oNNC12X/jC1DWSmyPyciEs0fs4yCBP3+fbB8gAgZCSfcn3BfLzK+QWPhkz
fRHOxefnekx7EzoflUysUyyoezTa0eP1I/r4JM2U93yXOsvoXGsZlKnhA3k/iQyt
p9cLo+WssXMEJI+rCjDkJyfzXy6C+HbmZDAZA0vyzi4iGZlCO8 Lp+YY22YdPqBdD
7XE0KXpyZ4BmovFF/gqPJcQvlgzXHBbl1d3S++oqFAYSDIIHT74Bk9OoIvG3UJXb
B+Q0F/6cyI216yyA7Mv/9e6vhHTIIJtD8oJ/taI0Zht6H55QLSWLx6FURv/EeSQl
KcrrVpVjLxMEotoY10DlTGxW0e8tcVIgmr+2OGee9ixjURxTVt ibUASbYel/JR6z
vzP9RNvN42S7zYOVKeyLGuWQOpXJOuRxJBc9cOMUWLGV/zTBUWlqAokIPwL1eVyP
7zA3cIw++fVweFuccUWCkn+oPWq/w7R8lsfBZSSaFModqnpC2zEp1ifVXBog+1gU
FIiSZee1h4g=
=VEHE
-----END PGP SIGNATURE-----
--=-=-=--

--===============0776008179==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/li...enssh-unix-dev

--===============0776008179==--
Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 05:21 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0