Skip to content

Update sshd-pfs_config #57

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
rhyven wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Update sshd-pfs_config #57

rhyven wants to merge 2 commits into from

Conversation

@rhyven
Copy link

@rhyven rhyven commented Mar 9, 2015

Added more detail for a strong sshd_config file

@rhyven
Update sshd-pfs_config
52be890 
Added more detail for a strong sshd_config file
@GigabyteProductions
Copy link

GigabyteProductions commented Jun 21, 2015

This definitely looks like an improvement, but what is the shortened LoginGraceTime for?

fmarier
fmarier reviewed Jun 21, 2015
View reviewed changes
configs/sshd/sshd-pfs_config Outdated
Copy link

@fmarier fmarier Jun 21, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A better value for this setting is sandbox. Here's the description from the manpage:

If UsePrivilegeSeparation is set to “sandbox” then the pre-authentication unprivileged process is subject to additional restrictions.

(via https://wiki.mozilla.org/Security/Guidelines/OpenSSH)

Copy link
Author

@rhyven rhyven Aug 21, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fmarier - Thanks François, I didn't know about the sandbox setting!

Copy link
Author

@rhyven rhyven Aug 21, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@GigabyteProductions - Just to reduce the amount of time the system is listening to an unauthenticated user; I was coming from a viewpoint of "minimum possible access", and didn't see the point in giving people a whole 120 seconds of airtime. There may be no security value in it, but there might be a new 0-day at some point or something.

@rhyven
Additional comments, and some tweaks
91164b7 
Changed PrivilegeSeparation to sandbox (thanks, @fmarier!)
Added VERBOSE log level
Added 4096-bit RSA key (usually 1024 or 2048 bit created on initial system install)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rhyven @GigabyteProductions @fmarier