Package: openssh-server Version: 1:5.1p1-5 Severity: normal Tags: security
The following patch improves security in default /etc/ssh/sshd_config file: - PermitRootLogin cha¨nge: from 'yes' to 'no' - Add 'Match Address 192.168.1.0/26' exmaple to limit root logins insode LAN (in comments; for sysadm to enable it) Cosmetic: - Add paragraph breaks between option groups -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages openssh-server depends on: ii adduser 3.110 add and remove users and groups ii debconf [debconf-2.0] 1.5.25 Debian configuration management sy ii dpkg 1.14.25 Debian package management system ii libc6 2.9-4 GNU C Library: Shared libraries ii libcomerr2 1.41.3-1 common error description library ii libkrb53 1.6.dfsg.4~beta1-6 MIT Kerberos runtime libraries ii libpam-modules 1.0.1-5 Pluggable Authentication Modules f ii libpam-runtime 1.0.1-5 Runtime support for the PAM librar ii libpam0g 1.0.1-5 Pluggable Authentication Modules l ii libselinux1 2.0.65-5 SELinux shared libraries ii libssl0.9.8 0.9.8g-15 SSL shared libraries ii libwrap0 7.6.q-16 Wietse Venema's TCP wrappers libra ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip ii openssh-blacklist 0.4.1 list of default blacklisted OpenSS ii openssh-client 1:5.1p1-5 secure shell client, an rlogin/rsh ii procps 1:3.2.7-11 /proc file system utilities ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime Versions of packages openssh-server recommends: ii openssh-blacklist-extra 0.4.1 list of non-default blacklisted Op ii xauth 1:1.0.3-2 X authentication utility Versions of packages openssh-server suggests: pn molly-guard <none> (no description available) pn rssh <none> (no description available) pn ssh-askpass <none> (no description available) -- debconf information excluded
>From d768f16e6a93ce9af395e58a8976aee0a3f2af3d Mon Sep 17 00:00:00 2001 From: Jari Aalto <jari.aa...@cante.net> Date: Mon, 6 Apr 2009 11:31:19 +0300 Subject: [PATCH] - Add 'Match Address example' for local LAN - Change PermitRootLogin to 'no'. --- openssh-server.postinst | 14 +++++++++++++- 1 files changed, 13 insertions(+), 1 deletions(-) mode change 100644 => 100755 openssh-server.postinst diff --git a/openssh-server.postinst b/openssh-server.postinst old mode 100644 new mode 100755 index b7ea210..0d97ea5 --- a/openssh-server.postinst +++ b/openssh-server.postinst @@ -303,13 +303,17 @@ create_sshdconfig() { # What ports, IPs and protocols we listen for Port 22 + # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 + Protocol 2 + # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key + #Privilege Separation is turned on for security UsePrivilegeSeparation yes @@ -323,7 +327,7 @@ LogLevel INFO # Authentication: LoginGraceTime 120 -PermitRootLogin yes +PermitRootLogin no StrictModes yes RSAAuthentication yes @@ -332,10 +336,13 @@ PubkeyAuthentication yes # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes + # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no + # similar for protocol version 2 HostbasedAuthentication no + # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes @@ -375,6 +382,11 @@ AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes + +# To permit root logins only in local LAN +# Match Address 192.168.1.0/26 +# PermitRootLogin yes + EOF } -- 1.6.1.3