Package: ssh Version: 1:3.8.1p1-8.sarge.4 Severity: important ObSeverity: I think this issue is important due to the denial of service rammifications involved, however I respect your opinion, and you may downgrade the severity as you see fit.
I my opinion, a LoginGraceTime of 10 minutes is really bad, as I have personally seen on a number of occasions, my server get totally blocked up by unauthenticated SSH connections (presumably relating to the brute-force SSH attacks running around at the moment) and if I didn't have an SSH connection already open, I wouldn't be able to login for 10 minutes, or potentially longer if someone was actively trying to gum up the works and constantly make SSH connections. I can't think of any reason why you'd want to leave an unauthenticated SSH connection open for that long. I think even 60 seconds is pretty generous. regards Andrew -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.8-1-686 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages ssh depends on: ii adduser 3.59 Add and remove users and groups ii debconf 1.4.30.11 Debian configuration management sy ii dpkg 1.10.25 Package maintenance system for Deb ii libc6 2.3.2.ds1-18 GNU C Library: Shared libraries an ii libpam-modules 0.76-22 Pluggable Authentication Modules f ii libpam-runtime 0.76-22 Runtime support for the PAM librar ii libpam0g 0.76-22 Pluggable Authentication Modules l ii libssl0.9.7 0.9.7e-2 SSL shared libraries ii libwrap0 7.6.dbs-6 Wietse Venema's TCP wrappers libra ii zlib1g 1:1.2.2-3 compression library - runtime -- debconf information: ssh/insecure_rshd: ssh/privsep_ask: true ssh/user_environment_tell: * ssh/forward_warning: ssh/insecure_telnetd: ssh/new_config: true * ssh/use_old_init_script: true * ssh/SUID_client: true ssh/disable_cr_auth: false * ssh/privsep_tell: ssh/ssh2_keys_merged: * ssh/protocol2_only: true ssh/encrypted_host_key_but_no_keygen: * ssh/run_sshd: true
