I'm not sure we can cover all possible "dangerous configurations". How
about a warning when a config option set in one config file is being
overridden elsewhere? I think that would be more valuable.
** Changed in: openssh (Ubuntu)
Status: New => Triaged
** Changed in: openssh (Ubuntu)
Importance: Undecided => Low
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2088217
Title:
Feature request, can we distro-patch sshd to emit warnings on
dangerous configurations?
Status in openssh package in Ubuntu:
Triaged
Bug description:
Hello, recently the change to the sshd .d "drop-in" configuration
format has been causing problems like people being surprised to find
password authentication is enabled
https://news.ycombinator.com/item?id=42133181
I propose that it would be useful to patch sshd to log some settings
at startup, to bring these potentially dangerous choices more
visibility:
- password authentication
- empty password authentication
- authenticationmethods
- usepam
- weak ciphers, kex, macs
- hostbased authentication
- permituserenvironment
- agent forwarding
- x11 forwarding / xauth
I'm not sure if we should only log things that deviate from our
intended configuration or we ought to just log things regardless. (eg,
telling users "UsePAM is enabled" without any context might encourage
some of them to disable UsePAM in an attempt to silence a message. So
maybe silence on 'normal' or 'expected' or 'encouraged' settings is
the better approach?)
Thanks
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2088217/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
