From owner-freebsd-security@FreeBSD.ORG  Sat Oct 17 22:56:24 2009
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 75B8C1065670
	for <freebsd-security@freebsd.org>;
	Sat, 17 Oct 2009 22:56:24 +0000 (UTC)
	(envelope-from avalon@coombs.anu.edu.au)
Received: from out1.smtp.messagingengine.com (out1.smtp.messagingengine.com
	[66.111.4.25]) by mx1.freebsd.org (Postfix) with ESMTP id 4DD998FC16
	for <freebsd-security@freebsd.org>;
	Sat, 17 Oct 2009 22:56:23 +0000 (UTC)
Received: from compute2.internal (compute2.internal [10.202.2.42])
	by gateway1.messagingengine.com (Postfix) with ESMTP id 8A5EBABE18;
	Sat, 17 Oct 2009 18:36:51 -0400 (EDT)
Received: from web6.messagingengine.com ([10.202.2.215])
	by compute2.internal (MEProxy); Sat, 17 Oct 2009 18:36:51 -0400
Received: by web6.messagingengine.com (Postfix, from userid 99)
	id 4357899422; Sat, 17 Oct 2009 18:36:53 -0400 (EDT)
Message-Id: <1255819013.8559.1340620221@webmail.messagingengine.com>
X-Sasl-Enc: xyk8FF8KmAL9BGBV+1UucXzvpvx99jsczAY2kRtjCV6b 1255819013
From: "Darren Reed" <avalon@coombs.anu.edu.au>
To: "johnea" <me@johnea.net>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
X-Mailer: MessagingEngine.com Webmail Interface
References: <21075_1254443471_4AC549CE_21075_106_1_4AC545C3.9020608@johnea.net>
In-Reply-To: <21075_1254443471_4AC549CE_21075_106_1_4AC545C3.9020608@johnea.net>
Date: Sun, 18 Oct 2009 00:36:53 +0200
X-Mailman-Approved-At: Sun, 18 Oct 2009 03:31:17 +0000
Cc: freebsd-security@freebsd.org
Subject: Re: openssh concerns
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: avalon@coombs.anu.edu.au
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Oct 2009 22:56:24 -0000

If this hasn't been mentioned already, disable password logins
in sshd_config and require RSA authentication only.

I do this on all hosts I administer that are internet accessible
and it allows me to confidently ignore all of the password
guessing attacks, resulting in peace of mind.

Darren

RSAAuthentication yes
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no