PHK's MD5 might not be slow enough anymore
Matthew Dillon
dillon at apollo.backplane.com
Wed Feb 3 18:14:40 UTC 2010
:If you're serious about strong authentication, use time-synchronized OTP
:tokens. Oh wait, you can't, because you need PAM and ChallengeResponse
:to mediate between the user and the backend, which usually acts like a
:Radius server. Too bad.
:
:DES
:--
:Dag-Erling Smørgrav - des at des.no
The default PAM setting in OpenSSH is 0. Line 138 servconf.c
in openssh-5.3p1 (that's the portable version). The default comment
in sshd_config in openssh-5.3.p1 from ftp.openssh.com and is condusive
to the state of the code, which is the reverse of what FreeBSD has done.
I didn't bother to go check earlier releases to see if it was different
in the past, but that seems to be the current state.
Frankly I'm a bit surprised that you are even trying to defend the
FreeBSD changes. They are clearly less secure. All you had to do
was adjust the default sshd_config. PAM is black-magic for most users,
the last thing you want to do is suggest that the general user base
make changes to PAM configuration files verses the far more user
friendly sshd_config.
The vast majority of BSD users don't need PAMs capabilities when it
comes to ssh. Having it disabled by default is more appropriate.
For that matter, your suggestion that all users use some esoteric
feature and mess with PAM configuration files as a solution instead
of changing the far more user-friendly sshd_config is just bad advise
to users. It seems to me that you are setting defaults for the
convenience of a minority of people when they should be set for the
convenience of the majority.
And if you are really going to insist on changing the option around
the least you could have done was uncomment the related options and
set them to a definitive 'no' value (that would be ChallengeResponse
at the very least) when you made the other changes.
The whole point of my original posting was to provide an alternative
to users concerned with password attacks on ssh and you basically
turned it into a personal attack. You need to grow up.
--
In anycase, I think Mr Barton's posting was excellent. We already
ship with PasswordAuthentication set to 'no' and, of course, PAM is
disabled by default, but I am going to make further adjustments to
our sshd_config based on Doug's suggestions plus I will also
uncomment ChallengeResponseAuthentication and set that to 'no' too
as a further safety measure.
The plain fact of the matter is that allowing short user passwords
over-the-wire for a shell login, whether in the clear or tunneled,
can no longer be considered a reasonable default in this day and age.
-Matt
Matthew Dillon
<dillon at backplane.com>
More information about the freebsd-security
mailing list