From owner-cvs-all Wed Jun 26 13:42:24 2002 Delivered-To: cvs-all@freebsd.org Received: from mail1.zer0.org (klapaucius.zer0.org [204.152.186.45]) by hub.freebsd.org (Postfix) with ESMTP id 018DA37CDDC; Wed, 26 Jun 2002 13:31:48 -0700 (PDT) Received: by mail1.zer0.org (Postfix, from userid 1001) id 5F03D239A0F; Wed, 26 Jun 2002 13:31:47 -0700 (PDT) Date: Wed, 26 Jun 2002 13:31:46 -0700 From: Gregory Sutter To: "Andrew R. Reiter" , Dirk Meyer Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: ports/security/openssh Makefile pkg-plist Message-ID: <20020626203146.GA56167@klapaucius.zer0.org> References: <200206260401.g5Q412c68657@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="0F1p//8PRICkK4MW" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.28i Organization: Zer0 X-Purpose: For great justice! Mail-Copies-To: poster X-Message-Flag: Ditch this virus-ridden Outlook crap and get a real mailer! Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --0F1p//8PRICkK4MW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On 2002-06-26 00:03 -0400, "Andrew R. Reiter" wrote: > On Tue, 25 Jun 2002, Dirk Meyer wrote: >=20 > :dinoex 2002/06/25 21:01:02 PDT > : > : Modified files: > : security/openssh Makefile pkg-plist=20 > : Log: > : Small cleanups for smoothlees migration to $PREFIX/etc/shh > : =20 > : Revision Changes Path > : 1.100 +9 -8 ports/security/openssh/Makefile > : 1.21 +4 -5 ports/security/openssh/pkg-plist >=20 > Why the hell have there been so many commits to this port at a time when > we KNOW everyone will be doing updates (soley out of paranoia)? Dirk updated the port quickly to OpenSSH 3.3, then fixed it up to use PrivSep and (as the above commit log shows) to make migrations to the new layout easier. I know, because I rebuilt OpenSSH on five machines after _each_ time he updated the port... and I'm currently doing the same with the 3.4 upgrade. GRRR! :) Thanks much for staying on top of the changes to OpenSSH, Dirk. May I suggest the following patch to sshd_config to make our default configuration more secure: --- sshd_config Wed Jun 26 13:26:46 2002 +++ sshd_config.new Wed Jun 26 13:28:24 2002 @@ -31,7 +31,7 @@ # Authentication: =20 #LoginGraceTime 600 -#PermitRootLogin yes +PermitRootLogin no #StrictModes yes =20 #RSAAuthentication yes @@ -54,8 +54,8 @@ #PasswordAuthentication yes #PermitEmptyPasswords no =20 -# Change to no to disable s/key passwords -#ChallengeResponseAuthentication yes +# Change to yes to enable s/key passwords +ChallengeResponseAuthentication no =20 # Kerberos options #KerberosAuthentication no @@ -74,9 +74,7 @@ #PrintLastLog yes #KeepAlive yes #UseLogin no -UseLogin yes #UsePrivilegeSeparation yes -UsePrivilegeSeparation yes #Compression yes =20 #MaxStartups 10 Greg --=20 Gregory S. Sutter Fnord. mailto:gsutter@zer0.org=20 http://www.zer0.org/~gsutter/=20 hkp://wwwkeys.pgp.net/0x845DFEDD --0F1p//8PRICkK4MW Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: '' iD8DBQE9GiSyIBUx1YRd/t0RAmd2AJ0Y5IJmSDZTplCFO9fGtverSojCugCeJbk8 hX5a7qs/5R2SlswMhhwx3ik= =eRac -----END PGP SIGNATURE----- --0F1p//8PRICkK4MW-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message