[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Momonga-devel.en:00025] Re: openssh vulnerability



Hi all,

kazuhiko updated the OpenSSH package to 3.7.1p2 with the following
change on sshd_config to make it easier to disable PasswordAuthentication..
It also disallows RootLogin.

n.b. Since 3.7.1p1, UsePAM has been defaulted to No, when sshd_config
does not specify.
http://www.st.ryukoku.ac.jp/~kjm/security/ml-archive/bugtraq/2003.09/msg00353.html

Cheers,
zunda

> --- openssh-3.7.1p2/sshd_config.orig    2003-09-02 21:51:18.000000000 +0900
> +++ openssh-3.7.1p2/sshd_config 2003-09-24 09:15:52.000000000 +0900
> @@ -34,6 +34,7 @@
> > #LoginGraceTime 2m
> #PermitRootLogin yes
> +PermitRootLogin no
> #StrictModes yes
> > #RSAAuthentication yes
> @@ -70,6 +71,7 @@
> # and session processing. Depending on your PAM configuration, this may
> # bypass the setting of 'PasswordAuthentication'
> #UsePAM yes
> +UsePAM no
> > #AllowTcpForwarding yes
> #GatewayPorts no


__________________________________________________
Do You Yahoo!?
Yahoo! BB is Broadband by Yahoo!
http://bb.yahoo.co.jp/