Re: Possibly insecure permissions on sshd_config in Debian-based distros

[Daniel Kahn Gillmor <dkg () fifthhorseman net>]

On 08/22/2013 04:36 PM, Andrey Korolyov wrote:
> On Fri, Aug 23, 2013 at 12:20 AM, Kurt Seifried <kseifried () redhat com> wrote:

> > Well the default file config would of course be known. I'm reading the
> > man page and nothing super secret pops out, e.g. no passwords get
> > embedded. Can you give an example of sensitive information in sshd_config?
>
> AllowUsers/AllowGroups/PermitEmptyPasswords
>
> Obtaining such information can shorten time of bruteforce remote attacks.

I don't think these rise to the level of being worth hiding at all.

PermitEmptyPasswords is one additional password to test against each
user account, which i don't think is significant.  And a user with local
access to the machine can already radically shorten bruteforce
enumeration of possible accounts with just with "getent passwd".  the
gap from there to AllowUsers isn't particularly significant by comparison.

I don't know of any history of any serious high-entropy secrets
(passphrases, secret keys, etc) being stored in sshd_config, and i would
imagine the ssh developers would resist any configuration that
encourages that sort of thing.

Having your config files world-readable by default eases debugging, and
can communicate to savvy users what your policies are without needing to
exchange e-mail or chat.

Administrators who want to make that tradeoff are free to make it, of
course, but if a proposal was made within debian to do something like
"chmod go-r sshd_config",  i would object to it.

This doesn't warrant a CVE.

        --dkg

Attachment: signature.asc
Description: OpenPGP digital signature