Date: Mon, 01 Feb 2010 12:29:57 -0800 From: Doug Barton <dougb@FreeBSD.org> To: Matthew Dillon <dillon@apollo.backplane.com> Cc: freebsd-security@freebsd.org Subject: Re: PHK's MD5 might not be slow enough anymore Message-ID: <4B6739C5.9040807@FreeBSD.org> In-Reply-To: <201002011824.o11IOxjQ045906@apollo.backplane.com> References: <20100128182413.GI892@noncombatant.org> <9d972bed1001281324r29b4b93bw9ec5bc522d0e2764@mail.gmail.com> <20100128224022.396588dc@gumby.homeunix.com> <201001282311.o0SNBWp4003678@apollo.backplane.com> <86ock95bls.fsf@ds4.des.no> <201002011824.o11IOxjQ045906@apollo.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 02/01/10 10:24, Matthew Dillon wrote: > If you don't need PAM's extra features for your sshd access (which is > most people) then turn PAM off in your sshd_config to work around the > base code change that DES made. Then the other options will work as > intended. And, just to be safe, also turn off the challenge-response > option. > > UsePAM no > ChallengeResponseAuthentication no > PasswordAuthentication no I agree that turning PAM off whenever possible is a good thing. It should also be noted that regardless of what appears in the default config file those options should be uncommented so that you can be sure they will be effective across updates. For the old-school paranoids (like me) the following options are also of interest "just in case": RhostsRSAAuthentication no HostbasedAuthentication no IgnoreRhosts yes hth, Doug -- Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/ Computers are useless. They can only give you answers. -- Pablo Picasso
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B6739C5.9040807>