Hardening - Revision history

Thomas-schneider-d320@ruhr-uni-bochum.de: Undo revision 4957 by Thomas-schneider-d320@ruhr-uni-bochum.de (talk) hab mich verlesen

2022-11-17T11:42:47Z

Undo revision 4957 by Thomas-schneider-d320@ruhr-uni-bochum.de (talk) hab mich verlesen

Thomas-schneider-d320@ruhr-uni-bochum.de: publickey existiert nicht als config option

2022-11-17T11:39:29Z

publickey existiert nicht als config option

Pascal-ernster-7ce9@ruhr-uni-bochum.de: /* /etc/ssh/sshd_config */ fixed typo "replaces" ➡ "replaced"

2020-05-27T01:25:08Z

/etc/ssh/sshd_config: fixed typo "replaces" ➡ "replaced"

Pascal-ernster-7ce9@ruhr-uni-bochum.de: "being more easily checked" ➡ "being more easy to check"

2020-05-25T15:00:45Z

"being more easily checked" ➡ "being more easy to check"

Pascal-ernster-7ce9@ruhr-uni-bochum.de: Created page

2020-05-25T14:59:45Z

Created page

New page

[[Category:HPC-Admin]]
<strong>Note: This page is still work in progress, so don't use for production (yet).</strong>

=SSH=
==/etc/ssh/sshd_config==
<pre>
AuthenticationMethods publickey
ReKeyLimit 1G 10m
AllowAgentForwarding no
</pre>
A few remarks:
* Disallowing root login doesn't bring any security advantages if you're only allowing secure AuthenticationMethods anyhow. It can even decrease overall security, because if forces you to use sudo, which could be replaces with a malicious (keylogging or command injecting) shell alias within the context of the unprivileged user account you're using sudo from.
* Compared to <code>PasswordAuthentication no</code>, <code>AuthenticationMethods publickey</code> has the advantage of being more easily checked during blackbox security scans, without even requiring a user account on the machine to be scanned. A potential downside is that it will also prevent some 2FA login methods like TOTP from working.

@@ Line 5: / Line 5: @@
 ==/etc/ssh/sshd_config==
 <pre>
-AuthenticationMethods prohibit-password
+AuthenticationMethods publickey
 ReKeyLimit 1G 10m
 AllowAgentForwarding no
@@ Line 11: / Line 11: @@
 A few remarks:
 * Disallowing root login doesn't bring any security advantages if you're only allowing secure AuthenticationMethods anyhow. It can even decrease overall security, because if forces you to use sudo, which could be replaced with a malicious (keylogging or command injecting) shell alias within the context of the unprivileged user account you're using sudo from.
-* Compared to <code>PasswordAuthentication no</code>, <code>AuthenticationMethods prohibit-password</code> has the advantage of being more easy to check during blackbox security scans, without even requiring a user account on the machine to be scanned. A potential downside is that it will also prevent some 2FA login methods like TOTP from working.
+* Compared to <code>PasswordAuthentication no</code>, <code>AuthenticationMethods publickey</code> has the advantage of being more easy to check during blackbox security scans, without even requiring a user account on the machine to be scanned. A potential downside is that it will also prevent some 2FA login methods like TOTP from working.

@@ Line 5: / Line 5: @@
 ==/etc/ssh/sshd_config==
 <pre>
-AuthenticationMethods publickey
+AuthenticationMethods prohibit-password
 ReKeyLimit 1G 10m
 AllowAgentForwarding no
@@ Line 11: / Line 11: @@
 A few remarks:
 * Disallowing root login doesn't bring any security advantages if you're only allowing secure AuthenticationMethods anyhow. It can even decrease overall security, because if forces you to use sudo, which could be replaced with a malicious (keylogging or command injecting) shell alias within the context of the unprivileged user account you're using sudo from.
-* Compared to <code>PasswordAuthentication no</code>, <code>AuthenticationMethods publickey</code> has the advantage of being more easy to check during blackbox security scans, without even requiring a user account on the machine to be scanned. A potential downside is that it will also prevent some 2FA login methods like TOTP from working.
+* Compared to <code>PasswordAuthentication no</code>, <code>AuthenticationMethods prohibit-password</code> has the advantage of being more easy to check during blackbox security scans, without even requiring a user account on the machine to be scanned. A potential downside is that it will also prevent some 2FA login methods like TOTP from working.

@@ Line 10: / Line 10: @@
 </pre>
 A few remarks:
-* Disallowing root login doesn't bring any security advantages if you're only allowing secure AuthenticationMethods anyhow. It can even decrease overall security, because if forces you to use sudo, which could be replaces with a malicious (keylogging or command injecting) shell alias within the context of the unprivileged user account you're using sudo from.
+* Disallowing root login doesn't bring any security advantages if you're only allowing secure AuthenticationMethods anyhow. It can even decrease overall security, because if forces you to use sudo, which could be replaced with a malicious (keylogging or command injecting) shell alias within the context of the unprivileged user account you're using sudo from.
 * Compared to <code>PasswordAuthentication no</code>, <code>AuthenticationMethods publickey</code> has the advantage of being more easy to check during blackbox security scans, without even requiring a user account on the machine to be scanned. A potential downside is that it will also prevent some 2FA login methods like TOTP from working.