[Ach] SSH improvements
Aaron Zauner
azet at azet.org
Sun Nov 17 15:24:13 CET 2013
Hi,
On 17 Nov 2013, at 11:44, Tobias Millauer <is131015 at fhstp.ac.at> wrote:
> Hello everybody,
>
> Here are some improvements to the SSH section. Do you agree with it?
>
> -- 8.3 SSH --
>
> # Use only Protocol 2
> Protocol 2
ACK.
>
> # Disable empty passwords
> PermitEmptyPasswords no
ACK.
> # Disable unused authentication methods
> UsePAM no
Why would you want to disable PAM? A lot of people use that. For example; At an institute i work for we use SSSD to authenticate via different active directories, this is done via PAM. Also People do script PAM stuff a lot.
> IgnoreRhosts yes
> RhostsRSAAuthentication no
> HostbasedAuthentication no
ACK.
> KerberosAuthentication no
> GSSAPIAuthentication no
> ChallengeResponseAuthentication no
No. I do not see any reason to disable Kerberos, GSSAPI or CRA, the last one is acutally used if you have something like hardware tokens (RSA SecurID or others) in place.
Thanks,
Aaron
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1091 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131117/a7bc431d/attachment.sig>
More information about the Ach
mailing list