Public bug reported:
Hello, recently the change to the sshd .d "drop-in" configuration format
has been causing problems like people being surprised to find password
authentication is enabled https://news.ycombinator.com/item?id=42133181
I propose that it would be useful to patch sshd to log some settings at
startup, to bring these potentially dangerous choices more visibility:
- password authentication
- empty password authentication
- authenticationmethods
- usepam
- weak ciphers, kex, macs
- hostbased authentication
- permituserenvironment
- agent forwarding
- x11 forwarding / xauth
I'm not sure if we should only log things that deviate from our intended
configuration or we ought to just log things regardless. (eg, telling
users "UsePAM is enabled" without any context might encourage some of
them to disable UsePAM in an attempt to silence a message. So maybe
silence on 'normal' or 'expected' or 'encouraged' settings is the better
approach?)
Thanks
** Affects: openssh (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2088217
Title:
Feature request, can we distro-patch sshd to emit warnings on
dangerous configurations?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2088217/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
