On Mon, Nov 09, 2015 at 05:14:01PM -0500, James Valleroy wrote: > On 11/09/2015 04:58 PM, Petter Reinholdtsen wrote: > > [Bob Mottram] > >> This patch adds some extra hardening to the ssh server settings, in > >> accordance with the recommendations on bettercrypto.org. > > This approach, editing the file /etc/ssh/sshd_config after installation, > > will very likely cause conffile question during upgrades when the > > package maintainer version of the file changes in the openssh-server > > deb. This will cause upgrade problems for non-technical users. > > > > Because of this, it is probably better to convince the openssh package > > maintainer to change the Debian default settings the way you propose to > > change the FreedomBox setup. > > > > Perhaps this bug should be reassigned to openssh-server or be cloned and > > a copy reassigned to openssh-server? > > > I think sshd_config is not a conffile. It seems to be produced by the > postinst: > https://sources.debian.net/src/openssh/1:6.9p1-2/debian/openssh-server.postinst/#L150 > > And if I'm reading that postinst correctly, it seems like they do > attempt to handle upgrades of this file properly. > > That said, I do agree that we should try to improve Debian default settings.
So I guess the question is whether openssh-server should adopt the recommendations of bettercrypto.org. There's one other thing I noticed, and that's that the PermitRootLogin setting was probably ok in its original form. On freedombox probably the fbx user is effectively acting as root to install/remove services via Plinth.
signature.asc
Description: Digital signature
