On Wed, 3 Nov 2010, Lyle Giese wrote:
I can not find the reference right off, but one of the first things I do when bringing up a new SuSE machine is make a couple of changes to ssh. There was an article at Novell that basically said the same thing when you want to expose ssh.
Change Permit root login to no
Change protocol version to 2 only
Change the port the server listens to. I recommend something > 1024. If you are running a public server, you may not be able to do that, but few web designers know what to do with a command line and it cuts down on the chaff from the script kiddies.
Add the following to the /etc/sshd_config: AllowGroups sshallow
Now go into YAST and add group sshallow and only put in the user ids you want to be able to login via ssh. And that does not include root or ftp.
This is all good advice, and I did not know about DenyUsers, AllowUsers, DenyGroups, AllowGroups. However, it doesn't explain the mystery because the usernames concerned were already not allowed to login...they did not have valid passwords. Changing the sshd config just makes them even more not allowed to login. To use a house analogy: somebody has got through a locked door and I don't know how they managed it. I can put a new lock on the door but I am still scared because I rely on the same lock in other places. Just to repeat what happened: it appears that sshd accepted a password login for user ftp even though user ftp has no valid password. That is either a dreadful bug or a terrible misconfiguration. Regards, Bob Vickers -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org