On Thu, Sep 25, 2014 at 11:10 PM, Bill Christensen <
[email protected]> wrote:
> Anyone got any?
>
OS X out of the box is less vulnerable than some because its DHCP client
doesn't use scripts that pass DHCP options in the environment (at least as
far as I, and everyone I've talked to so far who has some clue, can tell)
and, while it has Apache in the default configuration ("Web Sharing"), it's
generally off by default and the default CGI directory
(/Library/WebServer/CGI-Executables) is empty. sshd does pass $TERM so in
theory could be compromised when someone logs in remotely, but "Remote
Login" is also disabled by default and note that the sshd route can only be
used if someone can authenticate.
On general principles, not just ShellShock, I would limit sshd to
particular accounts via the GUI, edit /etc/sshd_config to disable root
login with anything but a key (or possibly not even that) by ensuring
"ChallengeResponseAuthentication no" ("KeyboardInteractive no" on older OS
X / sshd) and "PermitRootLogin" either "no" or "without-password". (I think
there is a corner case here where "PermitRootLogin without-password" and
"ChallengeResponseAuthentication yes" / "KeyboardInteractive yes" will
allow root to authenticate via PAM password? In any case, it's probably
best to only allow pubkey login across the board, given how ssh servers get
attacked these days.)
--
brandon s allbery kf8nh sine nomine associates
[email protected] [email protected]
unix, openafs, kerberos, infrastructure, xmonad http://sinenomine.net
_______________________________________________
macports-users mailing list
[email protected]
https://lists.macosforge.org/mailman/listinfo/macports-users
