Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
AW: [suse-security] AW: Antwort: AW: Antwort: [suse-security] sshd, harden_suse, pam und md5
  • From: "Wolfgang Rest" <webmaster@xxxxxxxxxxxxxxxxxx>
  • Date: Mon, 16 Sep 2002 14:31:28 +0200
  • Message-id: <BLEBLLIHHJBOLKNCLGEPMECJCLAA.webmaster@xxxxxxxxxxxxxxxxxx>
sorry for german language

sshd must have some troubles with md5, when i disable md5 then
i can login (also with root) when i enable md5 then i get a access denied.

the harden_suse script is from 7.3

best regards


-----Urspr√ľngliche Nachricht-----
Von: Philippe Vogel [mailto:filiaap@xxxxxxxxxx]
Gesendet: Freitag, 13. September 2002 17:39
An: Wolfgang Rest
Betreff: Re: [suse-security] AW: Antwort: AW: Antwort: [suse-security]
sshd, harden_suse, pam und md5


1) english mailinglist - see www.suse.de!
2) harden_suse will work for 7.3, maybe you used the false attributes
and said everywhere yes!
3) read the rest

> ups...
>
> sorry.. habe das alte config file mit dem neu erstellen von
harden_suse
> verglichen.. und es
> ist mir nicht aufgefallen...
>
> hab nun logischerweise PermitRootLogin = yes

This is security hole, better allow you user xy and deny root.
Then switch to root with "su" + password.

> und mal PAMAuthenticationViaKbdInt = yes

This is bad!
Change it to "No"!

>
> probiert.. hat aber nichts gebracht.
> kann es sein das in /etc/pam.d/sshd etwas nicht stimmt?

The file was O.K. as it was brought to you.
Maybe harden_suse changed something.
Was the harden_suse you used written for SuSE 8.0?

>
> hier nochmals das nun korrekte sshd_config files:
>
> Port 22
> Protocol 1,2

I would prefer "Protocol 2" for use of Protocol 2 only.

> ListenAddress 192.168.2.2

You have the firewall with internal and external networkcard?
Then it is a fine thing to have ssh on both cards.
Therefor you may deactivate this entry.

> #ListenAddress ::
> HostKey /etc/ssh/ssh_host_key
> #HostKey /etc/ssh/ssh_host_rsa_key
> HostKey /etc/ssh/ssh_host_dsa_key

You have these keys?
SSH looks for them and makes authentification with them.
ssh_host_key -> protocol 1
ssh_host_rsa_key -> protocol 2
ssh_host_dsa_key -> protocol 2
You need this keys been generated for your user to authentificate:
ssh-keygen -t rsa
passphrase ...
ssh-keygen -t dsa
passphrase ...

> ServerKeyBits 768
> LoginGraceTime 300
> KeyRegenerationInterval 3600

This is for protocol 1 usage only.

> PermitRootLogin yes

Deny it!

The rest looks normal.
The harden_suse script does more, it sets kernel cap bits.
What did you say yes to?
Rest seems O.K.!

> #
> # Don't read ~/.rhosts and ~/.shosts files
> IgnoreRhosts yes
> # Uncomment if you don't trust ~/.ssh/known_hosts for
> RhostsRSAAuthentication
> #IgnoreUserKnownHosts yes
> StrictModes yes
> X11Forwarding no
> X11DisplayOffset 10
> PrintMotd yes
> #PrintLastLog no
> KeepAlive yes
>
> # Logging
> SyslogFacility AUTH
> LogLevel INFO
> #obsoletes QuietMode and FascistLogging
>
> RhostsAuthentication no
> #
> # For this to work you will also need host keys in
/etc/ssh/ssh_known_hosts
> RhostsRSAAuthentication no
> # similar for protocol version 2
> HostbasedAuthentication no
> #
> RSAAuthentication yes
>
> # To disable tunneled clear text passwords, change to no here!
> PasswordAuthentication yes
> PermitEmptyPasswords no
>
> # Uncomment to disable s/key passwords
> ChallengeResponseAuthentication no
>
> # Uncomment to enable PAM keyboard-interactive authentication
> # Warning: enabling this may bypass the setting of
'PasswordAuthentication'
> #PAMAuthenticationViaKbdInt yes
>
> # To change Kerberos options
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #AFSTokenPassing no
> #KerberosTicketCleanup no
>
> # Kerberos TGT Passing does only work with the AFS kaserver
> #KerberosTgtPassing yes
>
> #CheckMail yes
> #UseLogin no
>
> #MaxStartups 10:30:60
> #Banner /etc/issue.net
> #ReverseMappingCheck yes
>
> Subsystem sftp /usr/lib/ssh/sftp-server




< Previous Next >
Follow Ups