[BlueOnyx:16899] Re: sshd_config

Matthew Komar mkomar at serverrack.net
Fri Jan 23 13:09:55 -05 2015 

Any chance we could get 'without-password' added as a menu option? Maybe we
call it "Key Only" or something like that in the drop down list to not
freak people out thinking that it would allow root access without any
authentication.

On Fri, Jan 23, 2015 at 11:36 AM, Michael Stauber <mstauber at blueonyx.it>
wrote:

> Hi Matthew,
>
> > My sshd_config keeps getting overwritten. I think it's
> > coming as a result of some BlueOnyx rpm though I'm
> > not 100% certain.
>
> Yes. BlueOnyx modifies the sshd_config. There are certain parameters in
> it that we change to match the ones that you configured in the GUI for
> SSHd. This will not replace sshd_config entirely. It just edits the
> selected few parameters that the GUI manages.
>
> > I've changed:
> >
> > AllowTcpForwarding yes
> > PermitRootLogin without-password
>
> Which are both "reserved" parameters which we manage.
> "AllowTcpForwarding" is off as it would allow bouncing SPAM to users
> even if their account has no shell.
>
> "PermitRootLogin" is reserved as well and we allow only "yes" or "no" as
> options.
>
> So here is what you can do:
>
> To get your root logins working enable "root" access in the SSH config
> in the GUI. That will set that parameter to "yes". Then use SSH key or
> certificate access instead and you don't have to worry about entering a
> password on login as long as you come from a box that's known and
> trusted, or has the matching key or certificate.
>
> As for "AllowTcpForwarding": You can enable it on a per user basis in
> sshd_config. There is a comment in sshd_config that explains how to do
> it. You just can't turn it on for everyone, as that would be (security
> wise) a bad idea.
>
> --
> With best regards
>
> Michael Stauber
> _______________________________________________
> Blueonyx mailing list
> Blueonyx at mail.blueonyx.it
> http://mail.blueonyx.it/mailman/listinfo/blueonyx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20150123/172dc174/attachment.html>

More information about the Blueonyx mailing list