Date: Tue, 6 Oct 2009 17:08:56 -0400 From: Garrett Wollman <wollman@bimajority.org> To: jhell <jhell@DataIX.net> Cc: FreeBSD Security <freebsd-security@freebsd.org> Subject: Re: openssh concerns Message-ID: <19147.45544.619211.308287@hergotha.csail.mit.edu> In-Reply-To: <alpine.BSF.2.00.0910061443060.51437@qvzrafvba.5c.ybpny> References: <20091003121830.GA15170@sorry.mine.nu> <4AC9F9C1.9030702@kernel32.de> <bd3cc292fc07e3e63181ab4fb59fa8e7.squirrel@webmail.pknet.net> <86vdis99ie.fsf@ds4.des.no> <alpine.BSF.2.00.0910061443060.51437@qvzrafvba.5c.ybpny>
next in thread | previous in thread | raw e-mail | index | archive | help
<<On Tue, 6 Oct 2009 15:49:16 -0400, jhell <jhell@DataIX.net> said: > Don't forget about making good use of the following configuration > turntables. You can enforce a default policy of deny by just saying that a > user must be in the group of AllowGroups. This does enforce a little bit > more of a administrative overhead but that's for your staff and policy to > decide. Indeed, for a personal server that only I ever log in to, one of the first things that I do is add "AllowUsers wollman" to /usr/local/etc/ssh/sshd_config. That's just a belt-and-suspenders thing, though, to make sure that I don't fat-finger the password file or something. I generally ignore the ssh "invalid user" complaints -- I have a modified version of /etc/periodic/security/800.loginfail that filters them out -- because they're totally irrelevant and have no impact on security. That allows me to pay attention to the (very occasional) password failures on real user accounts. -GAWollman
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19147.45544.619211.308287>