oss-sec mailing list archives
Re: Possibly insecure permissions on sshd_config in Debian-based distros
From: Daniel Kahn Gillmor <dkg () fifthhorseman net>
Date: Thu, 22 Aug 2013 17:07:17 -0400
On 08/22/2013 04:36 PM, Andrey Korolyov wrote:
On Fri, Aug 23, 2013 at 12:20 AM, Kurt Seifried <kseifried () redhat com> wrote:
Well the default file config would of course be known. I'm reading the man page and nothing super secret pops out, e.g. no passwords get embedded. Can you give an example of sensitive information in sshd_config?AllowUsers/AllowGroups/PermitEmptyPasswords Obtaining such information can shorten time of bruteforce remote attacks.
I don't think these rise to the level of being worth hiding at all. PermitEmptyPasswords is one additional password to test against each user account, which i don't think is significant. And a user with local access to the machine can already radically shorten bruteforce enumeration of possible accounts with just with "getent passwd". the gap from there to AllowUsers isn't particularly significant by comparison. I don't know of any history of any serious high-entropy secrets (passphrases, secret keys, etc) being stored in sshd_config, and i would imagine the ssh developers would resist any configuration that encourages that sort of thing. Having your config files world-readable by default eases debugging, and can communicate to savvy users what your policies are without needing to exchange e-mail or chat. Administrators who want to make that tradeoff are free to make it, of course, but if a proposal was made within debian to do something like "chmod go-r sshd_config", i would object to it. This doesn't warrant a CVE. --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Possibly insecure permissions on sshd_config in Debian-based distros Andrey Korolyov (Aug 22)
- Re: Possibly insecure permissions on sshd_config in Debian-based distros Kurt Seifried (Aug 22)
- Re: Possibly insecure permissions on sshd_config in Debian-based distros Andrey Korolyov (Aug 22)
- Re: Possibly insecure permissions on sshd_config in Debian-based distros Daniel Kahn Gillmor (Aug 22)
- Re: Possibly insecure permissions on sshd_config in Debian-based distros Kurt Seifried (Aug 22)
- Re: Possibly insecure permissions on sshd_config in Debian-based distros Andrey Korolyov (Aug 22)
- Re: Possibly insecure permissions on sshd_config in Debian-based distros Kurt Seifried (Aug 22)