[Ach] SSH improvements
Aaron Zauner
azet at azet.org
Sun Nov 17 15:30:18 CET 2013
On a second thought:
We should not exclude Rhosts/RhostsRSAauthentication. A lot of people use pre-shared keys.
On 17 Nov 2013, at 15:24, Aaron Zauner <azet at azet.org> wrote:
> Hi,
>
> On 17 Nov 2013, at 11:44, Tobias Millauer <is131015 at fhstp.ac.at> wrote:
>
>> Hello everybody,
>>
>> Here are some improvements to the SSH section. Do you agree with it?
>>
>> -- 8.3 SSH --
>>
>> # Use only Protocol 2
>> Protocol 2
> ACK.
>
>>
>> # Disable empty passwords
>> PermitEmptyPasswords no
> ACK.
>
>> # Disable unused authentication methods
>> UsePAM no
> Why would you want to disable PAM? A lot of people use that. For example; At an institute i work for we use SSSD to authenticate via different active directories, this is done via PAM. Also People do script PAM stuff a lot.
>
>> IgnoreRhosts yes
>> RhostsRSAAuthentication no
>> HostbasedAuthentication no
> ACK.
>
>> KerberosAuthentication no
>> GSSAPIAuthentication no
>> ChallengeResponseAuthentication no
>
> No. I do not see any reason to disable Kerberos, GSSAPI or CRA, the last one is acutally used if you have something like hardware tokens (RSA SecurID or others) in place.
>
> Thanks,
> Aaron
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1091 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131117/9d3aaf38/attachment.sig>
More information about the Ach
mailing list