Gentoo Archives: gentoo-dev

From: Mike Frysinger <vapier@g.o>
To: gentoo-security@g.o, gentoo-announce@g.o
Cc: gentoo-dev@g.o
Subject: [gentoo-dev] New OpenSSH configuration setup should be double checked
Date: Wed, 17 Sep 2003 06:44:23
1 the new 3.7.x series has updated the default settings/values/etc... of the
2 sshd_config file. this is just a heads up to make sure that in your rush to
3 update all your ssh servers, you didn't miss a step and accidentally open up
4 your server to previously unauthorized access.
6 (1) default PAM setting has been changed to YES
7 (1a) the keyword for toggling PAM auth has been changed from
8 'PAMAuthenticationViaKbdInt' to 'UsePAM'
10 (2) if you disabled (set it to no) the PasswordAuthentication feature before
11 so as to prevent users from logging in with a password (say you only wanted
12 them to utilize keys), then you must explicitly set UsePAM to no, otherwise
13 the PasswordAuthentication step will be bypassed by PAM
15 (3) if you use PasswordAuthentication and PAM (the default config file does
16 this), then users may now be authenticated via either option. you may notice
17 this when you attempt to log in, fail password checking 3 times, and suddenly
18 get a different prompt. this is because the first check (via PAM) failed and
19 ssh is now falling back to password authentication.
20 PAM authentication gives you this prompt:
21 Password:
22 PasswordAuthentication gives you this prompt:
23 UserBah@rux0r's password:
25 i think that about covers it ... for some people you may be annoyed by this
26 e-mail, others may thank Gentoo devs for it ... just remember:
27 (1) we all love security (more security, less rooting == better world)
28 (2) knowledge is half the battle !
30 -mike


Subject Author
[gentoo-dev] OpenSSH 3.7 compatibility problems Andrea Barisani <lcars@g.o>