From owner-freebsd-security@FreeBSD.ORG Mon Feb 1 20:29:51 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 046AC1065672 for ; Mon, 1 Feb 2010 20:29:51 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx21.fluidhosting.com [204.14.89.4]) by mx1.freebsd.org (Postfix) with ESMTP id 86E388FC16 for ; Mon, 1 Feb 2010 20:29:50 +0000 (UTC) Received: (qmail 1931 invoked by uid 399); 1 Feb 2010 20:29:49 -0000 Received: from localhost (HELO foreign.dougb.net) (dougb@dougbarton.us@127.0.0.1) by localhost with ESMTPAM; 1 Feb 2010 20:29:49 -0000 X-Originating-IP: 127.0.0.1 X-Sender: dougb@dougbarton.us Message-ID: <4B6739C5.9040807@FreeBSD.org> Date: Mon, 01 Feb 2010 12:29:57 -0800 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.1.7) Gecko/20100123 Thunderbird/3.0.1 MIME-Version: 1.0 To: Matthew Dillon References: <20100128182413.GI892@noncombatant.org> <9d972bed1001281324r29b4b93bw9ec5bc522d0e2764@mail.gmail.com> <20100128224022.396588dc@gumby.homeunix.com> <201001282311.o0SNBWp4003678@apollo.backplane.com> <86ock95bls.fsf@ds4.des.no> <201002011824.o11IOxjQ045906@apollo.backplane.com> In-Reply-To: <201002011824.o11IOxjQ045906@apollo.backplane.com> X-Enigmail-Version: 1.0 OpenPGP: id=D5B2F0FB Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: PHK's MD5 might not be slow enough anymore X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Feb 2010 20:29:51 -0000 On 02/01/10 10:24, Matthew Dillon wrote: > If you don't need PAM's extra features for your sshd access (which is > most people) then turn PAM off in your sshd_config to work around the > base code change that DES made. Then the other options will work as > intended. And, just to be safe, also turn off the challenge-response > option. > > UsePAM no > ChallengeResponseAuthentication no > PasswordAuthentication no I agree that turning PAM off whenever possible is a good thing. It should also be noted that regardless of what appears in the default config file those options should be uncommented so that you can be sure they will be effective across updates. For the old-school paranoids (like me) the following options are also of interest "just in case": RhostsRSAAuthentication no HostbasedAuthentication no IgnoreRhosts yes hth, Doug -- Improve the effectiveness of your Internet presence with a domain name makeover! http://SupersetSolutions.com/ Computers are useless. They can only give you answers. -- Pablo Picasso