Package: openssh-server Version: 1:5.5p1-6 Severity: normal Tags: squeeze My /etc/ssh/sshd_config says:
PermitRootLogin no yet I can still log in from another machine to root: phil@xanthus ~ $ ssh -S none arod.local -l root root@arod.local's password: Linux arod 2.6.32-5-powerpc #1 Fri Dec 10 16:30:49 UTC 2010 ppc The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Wed Jan 26 20:45:14 2011 from 217.155.153.12 root@arod:~# This is a stock Debian squeeze powerpc install, with no tweaks. -- System Information: Debian Release: 6.0 APT prefers testing APT policy: (650, 'testing') Architecture: powerpc (ppc) Kernel: Linux 2.6.32-5-powerpc Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages openssh-server depends on: ii adduser 3.112+nmu2 add and remove users and groups ii debconf [debconf-2.0] 1.5.36 Debian configuration management sy ii dpkg 1.15.8.8 Debian package management system ii libc6 2.11.2-9 Embedded GNU C Library: Shared lib ii libcomerr2 1.41.12-2 common error description library ii libgssapi-krb5-2 1.8.3+dfsg-4 MIT Kerberos runtime libraries - k ii libkrb5-3 1.8.3+dfsg-4 MIT Kerberos runtime libraries ii libpam-modules 1.1.1-6.1 Pluggable Authentication Modules f ii libpam-runtime 1.1.1-6.1 Runtime support for the PAM librar ii libpam0g 1.1.1-6.1 Pluggable Authentication Modules l ii libselinux1 2.0.96-1 SELinux runtime shared libraries ii libssl0.9.8 0.9.8o-4 SSL shared libraries ii libwrap0 7.6.q-19 Wietse Venema's TCP wrappers libra ii lsb-base 3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip ii openssh-blacklist 0.4.1 list of default blacklisted OpenSS ii openssh-client 1:5.5p1-6 secure shell (SSH) client, for sec ii procps 1:3.2.8-9 /proc file system utilities ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime Versions of packages openssh-server recommends: ii openssh-blacklist-extra 0.4.1 list of non-default blacklisted Op ii xauth 1:1.0.4-1 X authentication utility Versions of packages openssh-server suggests: pn molly-guard <none> (no description available) pn rssh <none> (no description available) pn ssh-askpass <none> (no description available) pn ufw <none> (no description available) -- debconf information: * ssh/use_old_init_script: true ssh/vulnerable_host_keys: ssh/encrypted_host_key_but_no_keygen: ssh/disable_cr_auth: false
# Package generated configuration file # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin no StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes
