From owner-freebsd-security@FreeBSD.ORG  Tue Oct  6 21:09:20 2009
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C22F71065676
	for <freebsd-security@freebsd.org>;
	Tue,  6 Oct 2009 21:09:20 +0000 (UTC)
	(envelope-from wollman@hergotha.csail.mit.edu)
Received: from hergotha.csail.mit.edu (hergotha.csail.mit.edu [66.92.79.170])
	by mx1.freebsd.org (Postfix) with ESMTP id 719148FC16
	for <freebsd-security@freebsd.org>;
	Tue,  6 Oct 2009 21:09:19 +0000 (UTC)
Received: from hergotha.csail.mit.edu (localhost [127.0.0.1])
	by hergotha.csail.mit.edu (8.14.3/8.14.3) with ESMTP id n96L8u3c045242; 
	Tue, 6 Oct 2009 17:08:56 -0400 (EDT)
	(envelope-from wollman@hergotha.csail.mit.edu)
Received: (from wollman@localhost)
	by hergotha.csail.mit.edu (8.14.3/8.14.3/Submit) id n96L8uBU045239;
	Tue, 6 Oct 2009 17:08:56 -0400 (EDT) (envelope-from wollman)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <19147.45544.619211.308287@hergotha.csail.mit.edu>
Date: Tue, 6 Oct 2009 17:08:56 -0400
From: Garrett Wollman <wollman@bimajority.org>
To: jhell <jhell@DataIX.net>
In-Reply-To: <alpine.BSF.2.00.0910061443060.51437@qvzrafvba.5c.ybpny>
References: <20091003121830.GA15170@sorry.mine.nu>
	<4AC9F9C1.9030702@kernel32.de>
	<bd3cc292fc07e3e63181ab4fb59fa8e7.squirrel@webmail.pknet.net>
	<86vdis99ie.fsf@ds4.des.no>
	<alpine.BSF.2.00.0910061443060.51437@qvzrafvba.5c.ybpny>
X-Mailer: VM 7.17 under 21.4 (patch 21) "Educational Television" XEmacs Lucid
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0
	(hergotha.csail.mit.edu [127.0.0.1]);
	Tue, 06 Oct 2009 17:08:56 -0400 (EDT)
X-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED
	autolearn=disabled version=3.2.5
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on
	hergotha.csail.mit.edu
X-Mailman-Approved-At: Tue, 06 Oct 2009 21:38:55 +0000
Cc: FreeBSD Security <freebsd-security@freebsd.org>
Subject: Re: openssh concerns
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Oct 2009 21:09:20 -0000

<<On Tue, 6 Oct 2009 15:49:16 -0400, jhell <jhell@DataIX.net> said:

> Don't forget about making good use of the following configuration 
> turntables. You can enforce a default policy of deny by just saying that a 
> user must be in the group of AllowGroups. This does enforce a little bit 
> more of a administrative overhead but that's for your staff and policy to 
> decide.

Indeed, for a personal server that only I ever log in to, one of the
first things that I do is add "AllowUsers wollman" to
/usr/local/etc/ssh/sshd_config.  That's just a belt-and-suspenders
thing, though, to make sure that I don't fat-finger the password file
or something.  I generally ignore the ssh "invalid user" complaints --
I have a modified version of /etc/periodic/security/800.loginfail that
filters them out -- because they're totally irrelevant and have no
impact on security.  That allows me to pay attention to the (very
occasional) password failures on real user accounts.

-GAWollman