Hello:
66# grep -i challenge /etc/ssh/sshd_config
#ChallengeResponseAuthentication yes
66# sshd -T|grep -i challenge
challengeresponseauthentication yes
66#
it doesn't counts if it is commented out, since it is by default YES as I started the thread with:
> > ####################
> > # what am I talking about?
> >
> > https://man.openbsd.org/sshd_config#ChallengeResponseAuthentication
> >
> > ChallengeResponseAuthentication
> > Specifies whether challenge-response authentication is allowed. All
> > authentication styles from login.conf(5) are supported. The default is
> > yes.
anyone in this world that understands what am I trying to point out? :)
with all the infos so far I have, the "ChallengeResponseAuthentication" should be by default NO. but it isn't currently.
maybe someone from the devs? or sorry, am I posting to the wrong list?
Really Many Thanks.
Happy New Year!
> Sent: Monday, December 23, 2019 at 1:58 PM
> From: "Jan Betlach" <jbetlach@gmail.com>
> To: "lu hu" <luhu8543@mail.com>
> Cc: misc@openbsd.org
> Subject: Re: Why isn't ChallengeResponseAuthentication NO in sshd_config?
>
>
> Isn't it commented out by default?
>
> Jan
>
>
> > Hello,
> >
> > nobody about the $subject? :)
> >
> > Why isn't ChallengeResponseAuthentication NO in sshd_config by
> > default?
> >
> > It would be more secure, afaik.
> >
> > Many thanks.
> >
> >
> >> Sent: Thursday, December 19, 2019 at 7:58 PM
> >> From: "lu hu" <luhu8543@mail.com>
> >> To: misc@openbsd.org
> >> Subject: Re: Why isn't ChallengeResponseAuthentication NO in
> >> sshd_config?
> >>
> >>> Sent: Wednesday, December 18, 2019 at 9:49 PM
> >>> From: "Bodie" <bodie@bodie.cz>
> >>> To: misc@openbsd.org, owner-misc@openbsd.org
> >>> Subject: Re: Why isn't ChallengeResponseAuthentication NO in
> >>> sshd_config?
> >>>
> >>>
> >>>
> >>> On 18.12.2019 18:48, lu hu wrote:
> >>>> Hello,
> >>>>
> >>>> ####################
> >>>> # what am I talking about?
> >>>>
> >>>> https://man.openbsd.org/sshd_config#ChallengeResponseAuthentication
> >>>>
> >>>> ChallengeResponseAuthentication
> >>>> Specifies whether challenge-response authentication is allowed.
> >>>> All
> >>>> authentication styles from login.conf(5) are supported. The default
> >>>> is
> >>>> yes.
> >>>>
> >>>> ####################
> >>>> # what does linux distros use:
> >>>>
> >>>> If I ex.: read:
> >>>>
> >>>> https://access.redhat.com/solutions/336773
> >>>>
> >>>> then I can see ChallengeResponseAuthentication is NO for security
> >>>> reasons. Ubuntu too.
> >>>>
> >>>> ####################
> >>>> # what else says ChallengeResponseAuthentication should be NO?
> >>>>
> >>>> https://www.openwall.com/lists/oss-security/2019/12/04/5
> >>>> ->
> >>>
> >>> These issues were quickly fixed in OpenBSD as you can see in
> >>> Security
> >>>
> >>
> >> This isn't related to the subject.
> >>
> >>>
> >>>> 1. CVE-2019-19521: Authentication bypass
> >>>>
> >>>> this attack should be more mitigated if
> >>>> ChallengeResponseAuthentication would be by default set to NO.
> >>>>
> >>>> ####################
> >>>> # FIX:
> >>>>
> >>>> from this:
> >>>> cat /etc/ssh/sshd_config
> >>>> ...
> >>>> # Change to no to disable s/key passwords
> >>>> #ChallengeResponseAuthentication yes
> >>>> ...
> >>>>
> >>>> to this:
> >>>> vi /etc/ssh/sshd_config
> >>>> cat /etc/ssh/sshd_config
> >>>> ...
> >>>> # Change to no to disable s/key passwords
> >>>> ChallengeResponseAuthentication no
> >>>> ...
> >>>>
> >>>> But of course by default, without fixing sshd_config it should be
> >>>> NO.
> >>>>
> >>>> Who the hell uses s/key with sshd nowadays?
> >>>>
> >>>
> >>> And you are aware that this option is not there just for S/Key,
> >>> right?
> >>> It's for example PAM Google authenticator too on Linux and
> >>> others....
> >>>
> >>> I think you missed couple of points. Eg.:
> >>>
> >>> https://www.openbsd.org/faq/faq10.html#SKey
> >>>
> >>> and the fact that login.conf(5) on OpenBSD by default enables S/Key.
> >>>
> >>
> >> I checked the https://www.openbsd.org/faq/faq10.html#SKey
> >>
> >> first step is to have a /etc/skey dir. So checked it:
> >>
> >> 66# ls /etc/skey
> >> ls: /etc/skey: No such file or directory
> >> 66#
> >>
> >> There is no /etc/skey by default. So you have to do the "skeyinit -E"
> >> as root, etc. Same for Google authenticator, etc. So
> >> ChallengeResponseAuthentication should be only enabled then.. when
> >> you set up extra auth methods.
> >>
> >> So afaik skey isn't enabled by default on OpenBSD, but for still some
> >> unkown reason (for me) ChallengeResponseAuthentication is set to yes
> >> by default on OpenBSD.
> >>
> >> Why?
> >>
> >>>> ####################
> >>>>
> >>>> So please, can we make the default sshd_config more secure and set
> >>>> the
> >>>> "ChallengeResponseAuthentication to NO"?
> >>>>
> >>>
> >>> Some practical examples at hand of the current vulnerability which
> >>> will
> >>> make this change reasonable?
> >>
> >> It is about proactive security, to avoid future possible security
> >> issues.
> >>
> >>>
> >>>> Many thanks and whishing a peaceful xmas!
> >>>
> >>>
> >>
> >>
>
>
No comments:
Post a Comment