lx's tech phlog

.plan

@400000004bc7a84d353f2ffc
Project: OpenSSH configuration: Threat or Menace?
Plan:

So, the ASF got compromised:

https://blogs.apache.org/infra/entry/apache_org_04_09_2010

The writeup mentions SSHD configuration:

"""SSH passwords should not have been enabled for login over the
Internet. Although the Infrastructure Team had attempted to configure
the sshd daemon to disable password-based logins, having UsePAM yes set
meant that password-based logins were still possible."""

What? Let's take a closer look at the man page for sshd_config:

	# Set this to 'no' to disable PAM authentication, account processing,
	# and session processing. If this is enabled, PAM authentication will
	# be allowed through the ChallengeResponseAuthentication and
	# PasswordAuthentication.  Depending on your PAM configuration,
	# PAM authentication via ChallengeResponseAuthentication may bypass
	# the setting of "PermitRootLogin without-password".
	# If you just want the PAM account and session checks to run without
	# PAM authentication, then enable this but set PasswordAuthentication
	# and ChallengeResponseAuthentication to 'no'.
	#UsePAM yes

Ok, that's rather ridiculous -- PermitRootLogin without-password
shouldn't pass things to PAM, in my opinion. Yes, I know PAM isn't
always password auth, but it almost always is. Now, is UsePAM on or off
by default? Looking below, I see:

	#AllowAgentForwarding yes
	#AllowTcpForwarding yes
	#GatewayPorts no
	#X11Forwarding yes

Since I know these are off by default in OpenSSH, I assume ``UsePAM
yes'' means UsePAM is off. This is wrong -- the man page explains at the
top that the commented values are the defaults. However, here's a the
snip from FreeBSD's sshd_config man page:

	X11Forwarding
			Specifies whether X11 forwarding is permitted. The argument
			must be ``yes'' or ``no''. The default is ``yes''.

And here is Ubuntu's:

	X11Forwarding
			Specifies whether X11 forwarding is permitted. The argument
			must be ``yes'' or ``no''. The default is ``no''.

I see. Also in the man page on Ubuntu is this:

	Note that the Debian openssh-server package sets several options
	as standard in /etc/ssh/sshd_config which are not the default
	in sshd(8). The exact list depends on whether the package was
	installed fresh or upgraded from various possible previous
	versions, but includes at least the following:

		  *   Protocol 2
		  *   ChallengeResponseAuthentication no
		  *   X11Forwarding yes
		  *   PrintMotd no
		  *   AcceptEnv LANG LC_*
		  *   Subsystem sftp /usr/lib/openssh/sftp-server
		  *   UsePAM yes

Well, it's no wonder people are confused. You have FreeBSD transparently
changing the long-standing default options (albeit correctly, if you
were going to do such a thing), and Debian saying ``The default options
in this man page are for the OpenBSD version of OpenSSH. We may have
changed some of them, but you can't be sure which ones. Have a nice
day.''

Comment Link