[Bug 2088217] Re: Feature request, can we distro-patch sshd to emit warnings on dangerous configurations?
Andreas Hasenack
2088217 at bugs.launchpad.net
Mon Nov 18 14:18:29 UTC 2024
I'm not sure we can cover all possible "dangerous configurations". How
about a warning when a config option set in one config file is being
overridden elsewhere? I think that would be more valuable.
** Changed in: openssh (Ubuntu)
Status: New => Triaged
** Changed in: openssh (Ubuntu)
Importance: Undecided => Low
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2088217
Title:
Feature request, can we distro-patch sshd to emit warnings on
dangerous configurations?
Status in openssh package in Ubuntu:
Triaged
Bug description:
Hello, recently the change to the sshd .d "drop-in" configuration
format has been causing problems like people being surprised to find
password authentication is enabled
https://news.ycombinator.com/item?id=42133181
I propose that it would be useful to patch sshd to log some settings
at startup, to bring these potentially dangerous choices more
visibility:
- password authentication
- empty password authentication
- authenticationmethods
- usepam
- weak ciphers, kex, macs
- hostbased authentication
- permituserenvironment
- agent forwarding
- x11 forwarding / xauth
I'm not sure if we should only log things that deviate from our
intended configuration or we ought to just log things regardless. (eg,
telling users "UsePAM is enabled" without any context might encourage
some of them to disable UsePAM in an attempt to silence a message. So
maybe silence on 'normal' or 'expected' or 'encouraged' settings is
the better approach?)
Thanks
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2088217/+subscriptions
More information about the foundations-bugs
mailing list