Mailinglist Archive: opensuse-security (685 mails)

< Previous Next >
Re: [suse-security] SSHD - limiting access to one account - how?
  • From: Martin Leweling <lewelin@xxxxxxxxxxxxxxx>
  • Date: Mon, 4 Feb 2002 14:36:08 +0100
  • Message-id: <20020204133607.74F6910A8@xxxxxxxxxxxxxxxxxxxxxxxx>
Hi,

On Monday 04 February 2002 13:54, Tobias Burnus wrote:
> Hi Steven,
>
> > And if some option is commented out in the sshd_config does it use the
> > default option?
>
> SSHD has to, what else should it use ...
>
> > What exploits are there for the "UseLogin" option?
> > e.g.. #UseLogin no
>
> UseLogin allows one to do a "ssh foo" and then enter the password.
> If you disallow login you need to have a authorised key.

Sorry, but this is not quite correct. You are mistaking "UseLogin" for
"PasswordAuthentication". "UseLogin" means to use the OS supplied
external login (/bin/login) for authentication. "man sshd" is your friend.

For vulnerability info on "UseLogin" see
http://www.suse.com/de/support/security/2001_045_openssh_txt.html,

Note that "UseLogin yes" ( _not_ default ) also means you are
inheriting all security holes of login, see e.g.
http://www.suse.com/de/support/security/2001_034_shadow_txt.html.

Many vendors, including SuSE, Sun etc. have issued patches for login.

> Tobias

Regards,
Martin
--
Martin Leweling
Institut fuer Planetologie, WWU Muenster
Wilhelm-Klemm-Str. 10, 48149 Muenster, Germany

< Previous Next >
Follow Ups