diff options
author | deraadt@openbsd.org <deraadt@openbsd.org> | 2015-08-06 14:53:21 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2015-08-11 18:57:29 +1000 |
commit | 1dc8d93ce69d6565747eb44446ed117187621b26 (patch) | |
tree | 68e850b1c037c7d744836000527320d11b143168 | |
parent | 90a95a4745a531b62b81ce3b025e892bdc434de5 (diff) |
upstream commit
add prohibit-password as a synonymn for without-password,
since the without-password is causing too many questions. Harden it to ban
all but pubkey, hostbased, and GSSAPI auth (when the latter is enabled) from
djm, ok markus
Upstream-ID: d53317d7b28942153e6236d3fd6e12ceb482db7a
-rw-r--r-- | auth.c | 6 | ||||
-rw-r--r-- | servconf.c | 3 | ||||
-rw-r--r-- | sshd_config | 4 | ||||
-rw-r--r-- | sshd_config.5 | 11 |
4 files changed, 15 insertions, 9 deletions
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: auth.c,v 1.111 2015/05/01 04:17:51 djm Exp $ */ | 1 | /* $OpenBSD: auth.c,v 1.112 2015/08/06 14:53:21 deraadt Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. | 3 | * Copyright (c) 2000 Markus Friedl. All rights reserved. |
4 | * | 4 | * |
@@ -352,7 +352,9 @@ auth_root_allowed(const char *method) | |||
352 | case PERMIT_YES: | 352 | case PERMIT_YES: |
353 | return 1; | 353 | return 1; |
354 | case PERMIT_NO_PASSWD: | 354 | case PERMIT_NO_PASSWD: |
355 | if (strcmp(method, "password") != 0) | 355 | if (strcmp(method, "publickey") == 0 || |
356 | strcmp(method, "hostbased") == 0 || | ||
357 | strcmp(method, "gssapi-with-mic")) | ||
356 | return 1; | 358 | return 1; |
357 | break; | 359 | break; |
358 | case PERMIT_FORCED_ONLY: | 360 | case PERMIT_FORCED_ONLY: |
diff --git a/servconf.c b/servconf.c index f06e1748f..6c7a91e6b 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,5 +1,5 @@ | |||
1 | 1 | ||
2 | /* $OpenBSD: servconf.c,v 1.279 2015/07/31 15:38:09 chris Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.280 2015/08/06 14:53:21 deraadt Exp $ */ |
3 | /* | 3 | /* |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | 5 | * All rights reserved |
@@ -916,6 +916,7 @@ static const struct multistate multistate_addressfamily[] = { | |||
916 | }; | 916 | }; |
917 | static const struct multistate multistate_permitrootlogin[] = { | 917 | static const struct multistate multistate_permitrootlogin[] = { |
918 | { "without-password", PERMIT_NO_PASSWD }, | 918 | { "without-password", PERMIT_NO_PASSWD }, |
919 | { "prohibit-password", PERMIT_NO_PASSWD }, | ||
919 | { "forced-commands-only", PERMIT_FORCED_ONLY }, | 920 | { "forced-commands-only", PERMIT_FORCED_ONLY }, |
920 | { "yes", PERMIT_YES }, | 921 | { "yes", PERMIT_YES }, |
921 | { "no", PERMIT_NO }, | 922 | { "no", PERMIT_NO }, |
diff --git a/sshd_config b/sshd_config index 46df1622f..4d77f05aa 100644 --- a/sshd_config +++ b/sshd_config | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: sshd_config,v 1.96 2015/07/30 19:23:02 deraadt Exp $ | 1 | # $OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $ |
2 | 2 | ||
3 | # This is the sshd server system-wide configuration file. See | 3 | # This is the sshd server system-wide configuration file. See |
4 | # sshd_config(5) for more information. | 4 | # sshd_config(5) for more information. |
@@ -41,7 +41,7 @@ | |||
41 | # Authentication: | 41 | # Authentication: |
42 | 42 | ||
43 | #LoginGraceTime 2m | 43 | #LoginGraceTime 2m |
44 | #PermitRootLogin without-password | 44 | #PermitRootLogin prohibit-password |
45 | #StrictModes yes | 45 | #StrictModes yes |
46 | #MaxAuthTries 6 | 46 | #MaxAuthTries 6 |
47 | #MaxSessions 10 | 47 | #MaxSessions 10 |
diff --git a/sshd_config.5 b/sshd_config.5 index 6eec1f668..58e277f95 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,8 +33,8 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.209 2015/07/30 19:23:02 deraadt Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.210 2015/08/06 14:53:21 deraadt Exp $ |
37 | .Dd $Mdocdate: July 30 2015 $ | 37 | .Dd $Mdocdate: August 6 2015 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
40 | .Sh NAME | 40 | .Sh NAME |
@@ -1204,16 +1204,19 @@ Specifies whether root can log in using | |||
1204 | .Xr ssh 1 . | 1204 | .Xr ssh 1 . |
1205 | The argument must be | 1205 | The argument must be |
1206 | .Dq yes , | 1206 | .Dq yes , |
1207 | .Dq prohibit-password , | ||
1207 | .Dq without-password , | 1208 | .Dq without-password , |
1208 | .Dq forced-commands-only , | 1209 | .Dq forced-commands-only , |
1209 | or | 1210 | or |
1210 | .Dq no . | 1211 | .Dq no . |
1211 | The default is | 1212 | The default is |
1212 | .Dq without-password . | 1213 | .Dq prohibit-password . |
1213 | .Pp | 1214 | .Pp |
1214 | If this option is set to | 1215 | If this option is set to |
1216 | .Dq prohibit-password | ||
1217 | or | ||
1215 | .Dq without-password , | 1218 | .Dq without-password , |
1216 | password authentication is disabled for root. | 1219 | password and keyboard-interactive authentication are disabled for root. |
1217 | .Pp | 1220 | .Pp |
1218 | If this option is set to | 1221 | If this option is set to |
1219 | .Dq forced-commands-only , | 1222 | .Dq forced-commands-only , |