[gentoo-dev] New OpenSSH configuration setup should be double checked

[gentoo-dev] New OpenSSH configuration setup should be double checked

[Mike Frysinger]

[-- Attachment #1: signed data --]
[-- Type: text/plain, Size: 1495 bytes --]

the new 3.7.x series has updated the default settings/values/etc... of the 
sshd_config file.  this is just a heads up to make sure that in your rush to 
update all your ssh servers, you didn't miss a step and accidentally open up 
your server to previously unauthorized access.

(1) default PAM setting has been changed to YES
(1a) the keyword for toggling PAM auth has been changed from 
'PAMAuthenticationViaKbdInt' to 'UsePAM'

(2) if you disabled (set it to no) the PasswordAuthentication feature before 
so as to prevent users from logging in with a password (say you only wanted 
them to utilize keys), then you must explicitly set UsePAM to no, otherwise 
the PasswordAuthentication step will be bypassed by PAM

(3) if you use PasswordAuthentication and PAM (the default config file does 
this), then users may now be authenticated via either option.  you may notice 
this when you attempt to log in, fail password checking 3 times, and suddenly 
get a different prompt.  this is because the first check (via PAM) failed and 
ssh is now falling back to password authentication.
PAM authentication gives you this prompt:
Password:
PasswordAuthentication gives you this prompt:
UserBah@rux0r's password:

i think that about covers it ... for some people you may be annoyed by this 
e-mail, others may thank Gentoo devs for it ... just remember:
(1) we all love security (more security, less rooting == better world)
(2) knowledge is half the battle !

-mike

[-- Attachment #2: signature --]
[-- Type: application/pgp-signature, Size: 827 bytes --]

[gentoo-dev] OpenSSH 3.7 compatibility problems

[Andrea Barisani]

It also seems that there are some compatibility problems between openssh and
other ssh clients.

Old version of putty and other UNIX ssh clients doesn't work with 'UsePAM yes' 
and 'PasswordAuthentication no'.

Any suggestions/reports about that?

Bye


On Wed, Sep 17, 2003 at 02:43:40AM -0400, Mike Frysinger wrote:
Content-Description: signed data
> the new 3.7.x series has updated the default settings/values/etc... of the 
> sshd_config file.  this is just a heads up to make sure that in your rush to 
> update all your ssh servers, you didn't miss a step and accidentally open up 
> your server to previously unauthorized access.
> 
> (1) default PAM setting has been changed to YES
> (1a) the keyword for toggling PAM auth has been changed from 
> 'PAMAuthenticationViaKbdInt' to 'UsePAM'
> 
> (2) if you disabled (set it to no) the PasswordAuthentication feature before 
> so as to prevent users from logging in with a password (say you only wanted 
> them to utilize keys), then you must explicitly set UsePAM to no, otherwise 
> the PasswordAuthentication step will be bypassed by PAM
> 
> (3) if you use PasswordAuthentication and PAM (the default config file does 
> this), then users may now be authenticated via either option.  you may notice 
> this when you attempt to log in, fail password checking 3 times, and suddenly 
> get a different prompt.  this is because the first check (via PAM) failed and 
> ssh is now falling back to password authentication.
> PAM authentication gives you this prompt:
> Password:
> PasswordAuthentication gives you this prompt:
> UserBah@rux0r's password:
> 
> i think that about covers it ... for some people you may be annoyed by this 
> e-mail, others may thank Gentoo devs for it ... just remember:
> (1) we all love security (more security, less rooting == better world)
> (2) knowledge is half the battle !
> 
> -mike


--
------------------------------------------------------------
INFIS Network Administrator & Security Officer         .*. 
Department of Physics       - University of Trieste    /V\
lcars@infis.univ.trieste.it - PGP Key 0x8E21FE82      (/ \)
----------------------------------------------------  (   )
"How would you know I'm mad?" said Alice.             ^^-^^
"You must be,'said the Cat,'or you wouldn't have come here."
------------------------------------------------------------

--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] OpenSSH 3.7 compatibility problems

[Stewart Honsberger]

Andrea Barisani wrote:
> It also seems that there are some compatibility problems between openssh and
> other ssh clients.
> 
> Old version of putty and other UNIX ssh clients doesn't work with 'UsePAM yes' 
> and 'PasswordAuthentication no'.
> 
> Any suggestions/reports about that?

I can't speak any more than my experience, but I had an old (~2years) 
version of Putty and it would no longer connect to my servers after 
upgrading to the latest (Gentoo stable) version of OpenSSH. (Config is 
pretty much default; changes include no root logins, and forward X11)

I upgraded Putty and the problem went away.

I'll investigate other SSH clients and see what's what.

-- 
Stewart Honsberger
http://blackdeath.snerk.org/
"Capitalists, by nature, organize to protect themselves.
-- Geeks, by nature, resist organizaion."


--
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] OpenSSH 3.7 compatibility problems

[Martin Schlemmer]

[-- Attachment #1: Type: text/plain, Size: 1032 bytes --]

On Fri, 2003-09-19 at 06:55, Stewart Honsberger wrote:
> Andrea Barisani wrote:
> > It also seems that there are some compatibility problems between openssh and
> > other ssh clients.
> > 
> > Old version of putty and other UNIX ssh clients doesn't work with 'UsePAM yes' 
> > and 'PasswordAuthentication no'.
> > 
> > Any suggestions/reports about that?
> 
> I can't speak any more than my experience, but I had an old (~2years) 
> version of Putty and it would no longer connect to my servers after 
> upgrading to the latest (Gentoo stable) version of OpenSSH. (Config is 
> pretty much default; changes include no root logins, and forward X11)
> 
> I upgraded Putty and the problem went away.
> 
> I'll investigate other SSH clients and see what's what.

Problem is that it was not linked to an specific version of openssh.
I guess this *should* really have been 3.0 and not 2.7 ...


Thanks,

-- 

Martin Schlemmer
Gentoo Linux Developer, Desktop/System Team Developer
Cape Town, South Africa



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]