[Bug 2088217] [NEW] Feature request, can we distro-patch sshd to emit warnings on dangerous configurations?

Seth Arnold 2088217 at bugs.launchpad.net
Thu Nov 14 18:48:37 UTC 2024 

Public bug reported:

Hello, recently the change to the sshd .d "drop-in" configuration format
has been causing problems like people being surprised to find password
authentication is enabled https://news.ycombinator.com/item?id=42133181

I propose that it would be useful to patch sshd to log some settings at
startup, to bring these potentially dangerous choices more visibility:

- password authentication
- empty password authentication
- authenticationmethods
- usepam
- weak ciphers, kex, macs
- hostbased authentication
- permituserenvironment
- agent forwarding
- x11 forwarding / xauth

I'm not sure if we should only log things that deviate from our intended
configuration or we ought to just log things regardless. (eg, telling
users "UsePAM is enabled" without any context might encourage some of
them to disable UsePAM in an attempt to silence a message. So maybe
silence on 'normal' or 'expected' or 'encouraged' settings is the better
approach?)

Thanks

** Affects: openssh (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2088217

Title:
  Feature request, can we distro-patch sshd to emit warnings on
  dangerous configurations?

Status in openssh package in Ubuntu:
  New

Bug description:
  Hello, recently the change to the sshd .d "drop-in" configuration
  format has been causing problems like people being surprised to find
  password authentication is enabled
  https://news.ycombinator.com/item?id=42133181

  I propose that it would be useful to patch sshd to log some settings
  at startup, to bring these potentially dangerous choices more
  visibility:

  - password authentication
  - empty password authentication
  - authenticationmethods
  - usepam
  - weak ciphers, kex, macs
  - hostbased authentication
  - permituserenvironment
  - agent forwarding
  - x11 forwarding / xauth

  I'm not sure if we should only log things that deviate from our
  intended configuration or we ought to just log things regardless. (eg,
  telling users "UsePAM is enabled" without any context might encourage
  some of them to disable UsePAM in an attempt to silence a message. So
  maybe silence on 'normal' or 'expected' or 'encouraged' settings is
  the better approach?)

  Thanks

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2088217/+subscriptions

More information about the foundations-bugs mailing list