diff options
| author | deraadt@openbsd.org <deraadt@openbsd.org> | 2015-08-06 14:53:21 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2015-08-11 18:57:29 +1000 |
| commit | 1dc8d93ce69d6565747eb44446ed117187621b26 (patch) | |
| tree | 68e850b1c037c7d744836000527320d11b143168 | |
| parent | 90a95a4745a531b62b81ce3b025e892bdc434de5 (diff) | |
add prohibit-password as a synonymn for without-password,
since the without-password is causing too many questions. Harden it to ban
all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from
djm, ok markus
Upstream-ID: d53317d7b28942153e6236d3fd6e12ceb482db7a
| -rw-r--r-- | auth.c | 6 | ||||
| -rw-r--r-- | servconf.c | 3 | ||||
| -rw-r--r-- | sshd_config | 4 | ||||
| -rw-r--r-- | sshd_config.5 | 11 |
4 files changed, 15 insertions, 9 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.111 2015/05/01 04:17:51 djm Exp $ */ +/* $OpenBSD: auth.c,v 1.112 2015/08/06 14:53:21 deraadt Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -352,7 +352,9 @@ auth_root_allowed(const char *method) case PERMIT_YES: return 1; case PERMIT_NO_PASSWD: - if (strcmp(method, "password") != 0) + if (strcmp(method, "publickey") == 0 || + strcmp(method, "hostbased") == 0 || + strcmp(method, "gssapi-with-mic")) return 1; break; case PERMIT_FORCED_ONLY: @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.279 2015/07/31 15:38:09 chris Exp $ */ +/* $OpenBSD: servconf.c,v 1.280 2015/08/06 14:53:21 deraadt Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -916,6 +916,7 @@ static const struct multistate multistate_addressfamily[] = { }; static const struct multistate multistate_permitrootlogin[] = { { "without-password", PERMIT_NO_PASSWD }, + { "prohibit-password", PERMIT_NO_PASSWD }, { "forced-commands-only", PERMIT_FORCED_ONLY }, { "yes", PERMIT_YES }, { "no", PERMIT_NO }, diff --git a/sshd_config b/sshd_config index 46df1622..4d77f05a 100644 --- a/sshd_config +++ b/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.96 2015/07/30 19:23:02 deraadt Exp $ +# $OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -41,7 +41,7 @@ # Authentication: #LoginGraceTime 2m -#PermitRootLogin without-password +#PermitRootLogin prohibit-password #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 diff --git a/sshd_config.5 b/sshd_config.5 index 6eec1f66..58e277f9 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.209 2015/07/30 19:23:02 deraadt Exp $ -.Dd $Mdocdate: July 30 2015 $ +.\" $OpenBSD: sshd_config.5,v 1.210 2015/08/06 14:53:21 deraadt Exp $ +.Dd $Mdocdate: August 6 2015 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -1204,16 +1204,19 @@ Specifies whether root can log in using .Xr ssh 1 . The argument must be .Dq yes , +.Dq prohibit-password , .Dq without-password , .Dq forced-commands-only , or .Dq no . The default is -.Dq without-password . +.Dq prohibit-password . .Pp If this option is set to +.Dq prohibit-password +or .Dq without-password , -password authentication is disabled for root. +password and keyboard-interactive authentication are disabled for root. .Pp If this option is set to .Dq forced-commands-only , |