From 9221fa7212521e35bbba4d7108556dd6144068fd Mon Sep 17 00:00:00 2001 From: Theo de Raadt Date: Thu, 6 Aug 2015 14:53:22 +0000 Subject: add prohibit-password as a synonymn for without-password, since the without-password is causing too many questions. Harden it to ban all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from djm, ok markus --- usr.bin/ssh/auth.c | 6 ++++-- usr.bin/ssh/servconf.c | 3 ++- usr.bin/ssh/sshd_config | 4 ++-- usr.bin/ssh/sshd_config.5 | 11 +++++++---- 4 files changed, 15 insertions(+), 9 deletions(-) (limited to 'usr.bin') diff --git a/usr.bin/ssh/auth.c b/usr.bin/ssh/auth.c index cd5abbbc6a6..24ec9d97ca0 100644 --- a/usr.bin/ssh/auth.c +++ b/usr.bin/ssh/auth.c @@ -1,4 +1,4 @@ -/* $OpenBSD: auth.c,v 1.111 2015/05/01 04:17:51 djm Exp $ */ +/* $OpenBSD: auth.c,v 1.112 2015/08/06 14:53:21 deraadt Exp $ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. * @@ -261,7 +261,9 @@ auth_root_allowed(const char *method) case PERMIT_YES: return 1; case PERMIT_NO_PASSWD: - if (strcmp(method, "password") != 0) + if (strcmp(method, "publickey") == 0 || + strcmp(method, "hostbased") == 0 || + strcmp(method, "gssapi-with-mic")) return 1; break; case PERMIT_FORCED_ONLY: diff --git a/usr.bin/ssh/servconf.c b/usr.bin/ssh/servconf.c index ddec1e0c732..04404a4bdb4 100644 --- a/usr.bin/ssh/servconf.c +++ b/usr.bin/ssh/servconf.c @@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.279 2015/07/31 15:38:09 chris Exp $ */ +/* $OpenBSD: servconf.c,v 1.280 2015/08/06 14:53:21 deraadt Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland * All rights reserved @@ -874,6 +874,7 @@ static const struct multistate multistate_addressfamily[] = { }; static const struct multistate multistate_permitrootlogin[] = { { "without-password", PERMIT_NO_PASSWD }, + { "prohibit-password", PERMIT_NO_PASSWD }, { "forced-commands-only", PERMIT_FORCED_ONLY }, { "yes", PERMIT_YES }, { "no", PERMIT_NO }, diff --git a/usr.bin/ssh/sshd_config b/usr.bin/ssh/sshd_config index 2b014dedd74..4bf591ea12a 100644 --- a/usr.bin/ssh/sshd_config +++ b/usr.bin/ssh/sshd_config @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.96 2015/07/30 19:23:02 deraadt Exp $ +# $OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -39,7 +39,7 @@ # Authentication: #LoginGraceTime 2m -#PermitRootLogin without-password +#PermitRootLogin prohibit-password #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5 index 9f815e4f0e5..d2e5b25b550 100644 --- a/usr.bin/ssh/sshd_config.5 +++ b/usr.bin/ssh/sshd_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.209 2015/07/30 19:23:02 deraadt Exp $ -.Dd $Mdocdate: July 30 2015 $ +.\" $OpenBSD: sshd_config.5,v 1.210 2015/08/06 14:53:21 deraadt Exp $ +.Dd $Mdocdate: August 6 2015 $ .Dt SSHD_CONFIG 5 .Os .Sh NAME @@ -1205,16 +1205,19 @@ Specifies whether root can log in using .Xr ssh 1 . The argument must be .Dq yes , +.Dq prohibit-password , .Dq without-password , .Dq forced-commands-only , or .Dq no . The default is -.Dq without-password . +.Dq prohibit-password . .Pp If this option is set to +.Dq prohibit-password +or .Dq without-password , -password authentication is disabled for root. +password and keyboard-interactive authentication are disabled for root. .Pp If this option is set to .Dq forced-commands-only , -- cgit v1.2.3