[Ach] SSH improvements

Aaron Zauner azet at azet.org
Sun Nov 17 15:24:13 CET 2013


On 17 Nov 2013, at 11:44, Tobias Millauer <is131015 at fhstp.ac.at> wrote:

> Hello everybody,
> Here are some improvements to the SSH section. Do you agree with it?
> -- 8.3 SSH --
> # Use only Protocol 2
> Protocol 2

> # Disable empty passwords
> PermitEmptyPasswords no

> # Disable unused authentication methods
> UsePAM no
Why would you want to disable PAM? A lot of people use that. For example; At an institute i work for we use SSSD to authenticate via different active directories, this is done via PAM. Also People do script PAM stuff a lot.

> IgnoreRhosts yes
> RhostsRSAAuthentication no
> HostbasedAuthentication no

> KerberosAuthentication no
> GSSAPIAuthentication no
> ChallengeResponseAuthentication no

No. I do not see any reason to disable Kerberos, GSSAPI or CRA, the last one is acutally used if you have something like hardware tokens (RSA SecurID or others) in place.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1091 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131117/a7bc431d/attachment.sig>

More information about the Ach mailing list