Am Mittwoch 26 Januar 2011 schrieb Guillaume ALAUX:
On Wed, 2011-01-26 at 11:38 +0100, Gaetan Bisson wrote:
[2011-01-26 11:29:56 +0100] Guillaume ALAUX:
We reverted back to the upstream conf to follow the Arch idea. We implicitly say "Power user, do your job when installing a SSH server". I understand your concern about minimum security but user should know how to configure an openSSH server if they need one. And if they don't maybe let's add an secure example in the wiki.
Just to clarify: The default sshd_config from upstream *is* secure.
We are just talking about enabling (or not) features by default.
Just to clarify: The default sshd_config from upstream *is* secure.
Agree
We are just talking about enabling (or not) features by default.
I think we should leave it as is but I don't really mind. -- Guillaume Now checked ubuntu too, USEPAM is enabled in most major distros, PAM is invoked in every login in Archlinux so I don't see a reason to not enable it by default.
# Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes Shall we vote about it? greetings tpowa -- Tobias Powalowski Archlinux Developer & Package Maintainer (tpowa) http://www.archlinux.org tpowa@archlinux.org