|
Message-ID: <52167D85.6080707@fifthhorseman.net>
Date: Thu, 22 Aug 2013 17:07:17 -0400
From: Daniel Kahn Gillmor <dkg@...thhorseman.net>
To: oss-security@...ts.openwall.com
CC: Andrey Korolyov <andrey@...l.ru>, kseifried@...hat.com
Subject: Re: Possibly insecure permissions on sshd_config in
Debian-based distros
On 08/22/2013 04:36 PM, Andrey Korolyov wrote:
> On Fri, Aug 23, 2013 at 12:20 AM, Kurt Seifried <kseifried@...hat.com> wrote:
>> Well the default file config would of course be known. I'm reading the
>> man page and nothing super secret pops out, e.g. no passwords get
>> embedded. Can you give an example of sensitive information in sshd_config?
>
> AllowUsers/AllowGroups/PermitEmptyPasswords
>
> Obtaining such information can shorten time of bruteforce remote attacks.
I don't think these rise to the level of being worth hiding at all.
PermitEmptyPasswords is one additional password to test against each
user account, which i don't think is significant. And a user with local
access to the machine can already radically shorten bruteforce
enumeration of possible accounts with just with "getent passwd". the
gap from there to AllowUsers isn't particularly significant by comparison.
I don't know of any history of any serious high-entropy secrets
(passphrases, secret keys, etc) being stored in sshd_config, and i would
imagine the ssh developers would resist any configuration that
encourages that sort of thing.
Having your config files world-readable by default eases debugging, and
can communicate to savvy users what your policies are without needing to
exchange e-mail or chat.
Administrators who want to make that tradeoff are free to make it, of
course, but if a proposal was made within debian to do something like
"chmod go-r sshd_config", i would object to it.
This doesn't warrant a CVE.
--dkg
Download attachment "signature.asc" of type "application/pgp-signature" (1028 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.