Your message dated Sun, 2 Apr 2017 02:45:39 +0100
with message-id <[email protected]>
and subject line Re: Bug#522745: [security] debian/openssh-server.postinst
improved sshd_config
has caused the Debian Bug report #522745,
regarding [security] debian/openssh-server.postinst improved sshd_config
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
522745: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=522745
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: openssh-server
Version: 1:5.1p1-5
Severity: normal
Tags: security
The following patch improves security in default /etc/ssh/sshd_config file:
- PermitRootLogin cha¨nge: from 'yes' to 'no'
- Add 'Match Address 192.168.1.0/26' exmaple to limit root logins insode LAN
(in comments; for sysadm to enable it)
Cosmetic:
- Add paragraph breaks between option groups
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages openssh-server depends on:
ii adduser 3.110 add and remove users and groups
ii debconf [debconf-2.0] 1.5.25 Debian configuration management sy
ii dpkg 1.14.25 Debian package management system
ii libc6 2.9-4 GNU C Library: Shared libraries
ii libcomerr2 1.41.3-1 common error description library
ii libkrb53 1.6.dfsg.4~beta1-6 MIT Kerberos runtime libraries
ii libpam-modules 1.0.1-5 Pluggable Authentication Modules f
ii libpam-runtime 1.0.1-5 Runtime support for the PAM librar
ii libpam0g 1.0.1-5 Pluggable Authentication Modules l
ii libselinux1 2.0.65-5 SELinux shared libraries
ii libssl0.9.8 0.9.8g-15 SSL shared libraries
ii libwrap0 7.6.q-16 Wietse Venema's TCP wrappers libra
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
ii openssh-blacklist 0.4.1 list of default blacklisted OpenSS
ii openssh-client 1:5.1p1-5 secure shell client, an rlogin/rsh
ii procps 1:3.2.7-11 /proc file system utilities
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
Versions of packages openssh-server recommends:
ii openssh-blacklist-extra 0.4.1 list of non-default blacklisted Op
ii xauth 1:1.0.3-2 X authentication utility
Versions of packages openssh-server suggests:
pn molly-guard <none> (no description available)
pn rssh <none> (no description available)
pn ssh-askpass <none> (no description available)
-- debconf information excluded
>From d768f16e6a93ce9af395e58a8976aee0a3f2af3d Mon Sep 17 00:00:00 2001
From: Jari Aalto <[email protected]>
Date: Mon, 6 Apr 2009 11:31:19 +0300
Subject: [PATCH] - Add 'Match Address example' for local LAN
- Change PermitRootLogin to 'no'.
---
openssh-server.postinst | 14 +++++++++++++-
1 files changed, 13 insertions(+), 1 deletions(-)
mode change 100644 => 100755 openssh-server.postinst
diff --git a/openssh-server.postinst b/openssh-server.postinst
old mode 100644
new mode 100755
index b7ea210..0d97ea5
--- a/openssh-server.postinst
+++ b/openssh-server.postinst
@@ -303,13 +303,17 @@ create_sshdconfig() {
# What ports, IPs and protocols we listen for
Port 22
+
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
+
Protocol 2
+
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
+
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
@@ -323,7 +327,7 @@ LogLevel INFO
# Authentication:
LoginGraceTime 120
-PermitRootLogin yes
+PermitRootLogin no
StrictModes yes
RSAAuthentication yes
@@ -332,10 +336,13 @@ PubkeyAuthentication yes
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
+
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
+
# similar for protocol version 2
HostbasedAuthentication no
+
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
@@ -375,6 +382,11 @@ AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
+
+# To permit root logins only in local LAN
+# Match Address 192.168.1.0/26
+# PermitRootLogin yes
+
EOF
}
--
1.6.1.3
--- End Message ---
--- Begin Message ---
Source: openssh
Source-Version: 1:7.4p1-1
On Wed, Apr 08, 2009 at 07:36:58PM +0300, Jari Aalto wrote:
> Colin Watson <[email protected]> writes:
> > > - Add 'Match Address 192.168.1.0/26' exmaple to limit root logins
> > > insode LAN
> > > (in comments; for sysadm to enable it)
> >
> > Wouldn't this be better as an example in the manual page?
>
> It appears that debian/openssh-server.postinst is different from the one
> sipped with the original sources:
>
> apt-get source openssh-server
> cd openssh-5.1p1/
> tail sshd_config
Indeed, that was true at that time. I've since switched to using ucf to
manage sshd_config, so that's no longer a problem.
The score with 1:7.4p1-1 and newer relative to your original report is:
* PermitRootLogin is now "prohibit-password" by default since
1:6.6p1-1, matching upstream;
* The Match example from upstream is now present;
* Paragraph breaks in the upstream file seem broadly reasonable.
So I think it's now correct for me to close this bug report.
Thanks,
--
Colin Watson [[email protected]]
--- End Message ---
