From owner-svn-src-all@freebsd.org Tue Dec 5 09:08:49 2017 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C9A6ADFE146; Tue, 5 Dec 2017 09:08:49 +0000 (UTC) (envelope-from cperciva@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9424271E52; Tue, 5 Dec 2017 09:08:49 +0000 (UTC) (envelope-from cperciva@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id vB598m64003989; Tue, 5 Dec 2017 09:08:48 GMT (envelope-from cperciva@FreeBSD.org) Received: (from cperciva@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id vB598mDk003988; Tue, 5 Dec 2017 09:08:48 GMT (envelope-from cperciva@FreeBSD.org) Message-Id: <201712050908.vB598mDk003988@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: cperciva set sender to cperciva@FreeBSD.org using -f From: Colin Percival Date: Tue, 5 Dec 2017 09:08:48 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r326564 - head/release/tools X-SVN-Group: head X-SVN-Commit-Author: cperciva X-SVN-Commit-Paths: head/release/tools X-SVN-Commit-Revision: 326564 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Dec 2017 09:08:49 -0000 Author: cperciva Date: Tue Dec 5 09:08:48 2017 New Revision: 326564 URL: https://svnweb.freebsd.org/changeset/base/326564 Log: Resurrect r321659: Turn off ChallengeResponseAuthentication for EC2 AMIs. EC2 instances are normally launched with an SSH public key specified, which is then used for logging in (by default, as 'ec2-user'). Having ChallengeResponseAuthentication enabled (as FreeBSD's default sshd_config does) has no functional effect in a new EC2 instance, since you can't log in using a password until a password has been set -- but having this enabled results in alerts from automated scanning tools which can detect that sshd advertises support for keyboard-interactive logins (since they can't detect that accounts have no password set). EC2 users who want to use passwords to log in to their instances will need to set 'ChallengeResponseAuthentication yes' in FreeBSD 12.0 and later. Discussed with: gjb, gtetlow, emaste, des Requested by: Amazon X-MFC: No Relnotes: ChallengeResponseAuthentication is turned off by default in Amazon EC2 AMIs. Modified: head/release/tools/ec2.conf Modified: head/release/tools/ec2.conf ============================================================================== --- head/release/tools/ec2.conf Tue Dec 5 08:25:17 2017 (r326563) +++ head/release/tools/ec2.conf Tue Dec 5 09:08:48 2017 (r326564) @@ -81,6 +81,12 @@ vm_extra_pre_umount() { # Load the kernel module for the Amazon "Elastic Network Adapter" echo 'if_ena_load="YES"' >> ${DESTDIR}/boot/loader.conf + # Disable ChallengeResponseAuthentication according to EC2 + # requirements. + sed -i '' -e \ + 's/^#ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/' \ + ${DESTDIR}/etc/ssh/sshd_config + # The first time the AMI boots, the installed "first boot" scripts # should be allowed to run: # * ec2_configinit (download and process EC2 user-data)