Proposal for sshd_config(5) man page

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Proposal for sshd_config(5) man page

Walter Alejandro Iglesias-3
In sshd_config(5), to avoid confusion with PermitRootLogin options.

Original:

  If this option is set to *prohibit-password* or *without-password*,
  password and keyboard-interactive authentication are disabled for
  root.

Proposed:

  If this option is set to *prohibit-password* (renamed from
  *without-password* to avoid ambiguity, both valid) only non
  keyboard-interactive authentication (public-key, hostbased and GSSAPI)
  is allowed for root.


--- sshd_config.5.orig Mon Oct  9 22:12:51 2017
+++ sshd_config.5 Fri Oct 13 12:38:13 2017
@@ -1199,9 +1199,10 @@
 .Pp
 If this option is set to
 .Cm prohibit-password
-or
-.Cm without-password ,
-password and keyboard-interactive authentication are disabled for root.
+(renamed from
+.Cm without-password
+to avoid ambiguity, both valid) only non keyboard-interactive authentication
+(public-key, hostbased and GSSAPI) is allowed for root.
 .Pp
 If this option is set to
 .Cm forced-commands-only ,


     ***

A related question.  About these messages (/var/log/authlog):

 ... error: maximum authentication attempts exceeded for root ...

 ... error: maximum authentication attempts exceeded for invalid user admin ...

Is there any reason why the connection isn't just terminated after
confirming the user is root or invalid?

Reply | Threaded
Open this post in threaded view
|

Re: Proposal for sshd_config(5) man page

Stuart Henderson
On 2017/10/13 12:57, Walter Alejandro Iglesias wrote:

> In sshd_config(5), to avoid confusion with PermitRootLogin options.
>
> Original:
>
>   If this option is set to *prohibit-password* or *without-password*,
>   password and keyboard-interactive authentication are disabled for
>   root.
>
> Proposed:
>
>   If this option is set to *prohibit-password* (renamed from
>   *without-password* to avoid ambiguity, both valid) only non
>   keyboard-interactive authentication (public-key, hostbased and GSSAPI)
>   is allowed for root.

How about a briefer alternative that points people towards the
more self-explanatory option keyword?

Index: sshd_config.5
===================================================================
RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v
retrieving revision 1.254
diff -u -p -r1.254 sshd_config.5
--- sshd_config.5 9 Oct 2017 20:12:51 -0000 1.254
+++ sshd_config.5 13 Oct 2017 12:59:14 -0000
@@ -1198,10 +1198,11 @@ The default is
 .Cm prohibit-password .
 .Pp
 If this option is set to
-.Cm prohibit-password
-or
-.Cm without-password ,
+.Cm prohibit-password ,
 password and keyboard-interactive authentication are disabled for root.
+.Cm without-password
+is a deprecated alias for
+.Cm prohibit-password .
 .Pp
 If this option is set to
 .Cm forced-commands-only ,

Reply | Threaded
Open this post in threaded view
|

Re: Proposal for sshd_config(5) man page

Jimmy Hess
In reply to this post by Walter Alejandro Iglesias-3
On Fri, Oct 13, 2017 at 5:57 AM, Walter Alejandro Iglesias <[hidden email]
> wrote:

Perhaps the existence of PermitRootLogin  directive is redundant at this
point or
ought to be deprecated, and the docs should suggest  using other Option
directives?  :-)

Or..... how is this meant to provide additional functionality  above and
beyond  directives that
can be used to restrict  authentication types for all connections
regardless of login name?

                AuthenticationMethods publickey,keyboard-interactive

                Match User root
                      AuthenticationMethods publickey

The  [AuthenticationMethods]  directive can also specify that a
Non-Password based Method
must be used  PLUS a  Password-based method...  thus  avoiding the
possibility of an
unintentional backdoor through an .ssh/authorized_keys  key file,  by
making sure the root
password is always required,   And  reducing the likelihood that a SSH
secret key
is stolen and then used to surreptitiously login as root,     So.....

         AuthenticationMethods publickey password,keyboard-interactive

Can be seen as stronger security than   "PermitRootLogin prohibit-password"


There's no  "PermitRootLogin  require-BOTH-publickey-and-a-password"



> In sshd_config(5), to avoid confusion with PermitRootLogin options.
>
> Original:
>
>   If this option is set to *prohibit-password* or *without-password*,
>   password and keyboard-interactive authentication are disabled for
>   root.
>
> Proposed:
>
>   If this option is set to *prohibit-password* (renamed from
>   *without-password* to avoid ambiguity, both valid) only non
>   keyboard-interactive authentication (public-key, hostbased and GSSAPI)
>   is allowed for root.
>
>
--
-JH
Reply | Threaded
Open this post in threaded view
|

Re: Proposal for sshd_config(5) man page

Walter Alejandro Iglesias-3
In reply to this post by Stuart Henderson
Hi Stuart,

On Fri, Oct 13, 2017 at 02:01:17PM +0100, Stuart Henderson wrote:
> How about a briefer alternative that points people towards the
> more self-explanatory option keyword?

Or even better, to modify the first paragraph to put it clear from the
very start there are *four* arguments, not five (if my English fails let
me know, please):

To change this:

   PermitRootLogin
        Specifies whether root can log in using ssh(1).  The argument
        must be yes, prohibit-password, without-password,
        forced-commands-only, or no.  The default is prohibit-password.

for this:

   PermitRootLogin
        Specifies whether root can log in using ssh(1).  The argument
        must be yes, prohibit-password (late without-password),
        forced-commands-only, or no.  The default is prohibit-password.


I still think some redundancy in the second paragraph is welcome to
leave the reader no doubt about what each option exactly allows and
prohibit.  Without that clarification when you get to the third
paragraph:

   If this option is set to forced-commands-only, root login with public
   key authentication will be allowed, but only if the command option...

you may wonder if prohibit-password allows public key authentication.
At least that's what happened to me. :-)


New version:


--- sshd_config.5.orig Fri Oct 13 16:23:06 2017
+++ sshd_config.5 Fri Oct 13 16:20:34 2017
@@ -1189,8 +1189,8 @@
 .Xr ssh 1 .
 The argument must be
 .Cm yes ,
-.Cm prohibit-password ,
-.Cm without-password ,
+.Cm prohibit-password
+.Pq late without-password ,
 .Cm forced-commands-only ,
 or
 .Cm no .
@@ -1199,9 +1199,8 @@
 .Pp
 If this option is set to
 .Cm prohibit-password
-or
-.Cm without-password ,
-password and keyboard-interactive authentication are disabled for root.
+(without-password is still valid) only non keyboard-interactive
+authentication (public-key, hostbased and GSSAPI) is allowed for root.
 .Pp
 If this option is set to
 .Cm forced-commands-only ,


Reply | Threaded
Open this post in threaded view
|

Re: Proposal for sshd_config(5) man page

Jason McIntyre-2
In reply to this post by Stuart Henderson
On Fri, Oct 13, 2017 at 02:01:17PM +0100, Stuart Henderson wrote:

> On 2017/10/13 12:57, Walter Alejandro Iglesias wrote:
> > In sshd_config(5), to avoid confusion with PermitRootLogin options.
> >
> > Original:
> >
> >   If this option is set to *prohibit-password* or *without-password*,
> >   password and keyboard-interactive authentication are disabled for
> >   root.
> >
> > Proposed:
> >
> >   If this option is set to *prohibit-password* (renamed from
> >   *without-password* to avoid ambiguity, both valid) only non
> >   keyboard-interactive authentication (public-key, hostbased and GSSAPI)
> >   is allowed for root.
>
> How about a briefer alternative that points people towards the
> more self-explanatory option keyword?
>
> Index: sshd_config.5
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v
> retrieving revision 1.254
> diff -u -p -r1.254 sshd_config.5
> --- sshd_config.5 9 Oct 2017 20:12:51 -0000 1.254
> +++ sshd_config.5 13 Oct 2017 12:59:14 -0000
> @@ -1198,10 +1198,11 @@ The default is
>  .Cm prohibit-password .
>  .Pp
>  If this option is set to
> -.Cm prohibit-password
> -or
> -.Cm without-password ,
> +.Cm prohibit-password ,
>  password and keyboard-interactive authentication are disabled for root.
> +.Cm without-password
> +is a deprecated alias for
> +.Cm prohibit-password .
>  .Pp
>  If this option is set to
>  .Cm forced-commands-only ,
>

i agree that we should not try to list all the other types that are
valid, since it means one more thing to remember when things change.
and means adding more text.

i'm fine with your diff, but couldn;t resist having a stab myself:

Index: sshd_config.5
===================================================================
RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v
retrieving revision 1.254
diff -u -r1.254 sshd_config.5
--- sshd_config.5 9 Oct 2017 20:12:51 -0000 1.254
+++ sshd_config.5 13 Oct 2017 14:52:03 -0000
@@ -1190,7 +1190,6 @@
 The argument must be
 .Cm yes ,
 .Cm prohibit-password ,
-.Cm without-password ,
 .Cm forced-commands-only ,
 or
 .Cm no .
@@ -1199,8 +1198,8 @@
 .Pp
 If this option is set to
 .Cm prohibit-password
-or
-.Cm without-password ,
+(or its deprecated alias,
+.Cm without-password ) ,
 password and keyboard-interactive authentication are disabled for root.
 .Pp
 If this option is set to

Reply | Threaded
Open this post in threaded view
|

Re: Proposal for sshd_config(5) man page

Walter Alejandro Iglesias-3
In article <20171013145400.GA82524@harkle> Jason McIntyre <[hidden email]> wrote:

> On Fri, Oct 13, 2017 at 02:01:17PM +0100, Stuart Henderson wrote:
> > On 2017/10/13 12:57, Walter Alejandro Iglesias wrote:
> > > In sshd_config(5), to avoid confusion with PermitRootLogin options.
> > >
> > > Original:
> > >
> > >   If this option is set to *prohibit-password* or *without-password*,
> > >   password and keyboard-interactive authentication are disabled for
> > >   root.
> > >
> > > Proposed:
> > >
> > >   If this option is set to *prohibit-password* (renamed from
> > >   *without-password* to avoid ambiguity, both valid) only non
> > >   keyboard-interactive authentication (public-key, hostbased and GSSAPI)
> > >   is allowed for root.
> >
> > How about a briefer alternative that points people towards the
> > more self-explanatory option keyword?
> >
> > Index: sshd_config.5
> > ===================================================================
> > RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v
> > retrieving revision 1.254
> > diff -u -p -r1.254 sshd_config.5
> > --- sshd_config.5     9 Oct 2017 20:12:51 -0000       1.254
> > +++ sshd_config.5     13 Oct 2017 12:59:14 -0000
> > @@ -1198,10 +1198,11 @@ The default is
> >  .Cm prohibit-password .
> >  .Pp
> >  If this option is set to
> > -.Cm prohibit-password
> > -or
> > -.Cm without-password ,
> > +.Cm prohibit-password ,
> >  password and keyboard-interactive authentication are disabled for root.
> > +.Cm without-password
> > +is a deprecated alias for
> > +.Cm prohibit-password .
> >  .Pp
> >  If this option is set to
> >  .Cm forced-commands-only ,
> >
>
> i agree that we should not try to list all the other types that are
> valid, since it means one more thing to remember when things change.
> and means adding more text.
>
> i'm fine with your diff, but couldn;t resist having a stab myself:

The first paragraph is the more important.  I like this version.


>
> Index: sshd_config.5
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v
> retrieving revision 1.254
> diff -u -r1.254 sshd_config.5
> --- sshd_config.5       9 Oct 2017 20:12:51 -0000       1.254
> +++ sshd_config.5       13 Oct 2017 14:52:03 -0000
> @@ -1190,7 +1190,6 @@
>  The argument must be
>  .Cm yes ,
>  .Cm prohibit-password ,
> -.Cm without-password ,
>  .Cm forced-commands-only ,
>  or
>  .Cm no .
> @@ -1199,8 +1198,8 @@
>  .Pp
>  If this option is set to
>  .Cm prohibit-password
> -or
> -.Cm without-password ,
> +(or its deprecated alias,
> +.Cm without-password ) ,
>  password and keyboard-interactive authentication are disabled for root.
>  .Pp
>  If this option is set to
>
>

Reply | Threaded
Open this post in threaded view
|

Re: Proposal for sshd_config(5) man page

Stuart Henderson
In reply to this post by Jason McIntyre-2
On 2017/10/13 15:54, Jason McIntyre wrote:

> On Fri, Oct 13, 2017 at 02:01:17PM +0100, Stuart Henderson wrote:
> > On 2017/10/13 12:57, Walter Alejandro Iglesias wrote:
> > > In sshd_config(5), to avoid confusion with PermitRootLogin options.
> > >
> > > Original:
> > >
> > >   If this option is set to *prohibit-password* or *without-password*,
> > >   password and keyboard-interactive authentication are disabled for
> > >   root.
> > >
> > > Proposed:
> > >
> > >   If this option is set to *prohibit-password* (renamed from
> > >   *without-password* to avoid ambiguity, both valid) only non
> > >   keyboard-interactive authentication (public-key, hostbased and GSSAPI)
> > >   is allowed for root.
> >
> > How about a briefer alternative that points people towards the
> > more self-explanatory option keyword?
> >
> > Index: sshd_config.5
> > ===================================================================
> > RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v
> > retrieving revision 1.254
> > diff -u -p -r1.254 sshd_config.5
> > --- sshd_config.5 9 Oct 2017 20:12:51 -0000 1.254
> > +++ sshd_config.5 13 Oct 2017 12:59:14 -0000
> > @@ -1198,10 +1198,11 @@ The default is
> >  .Cm prohibit-password .
> >  .Pp
> >  If this option is set to
> > -.Cm prohibit-password
> > -or
> > -.Cm without-password ,
> > +.Cm prohibit-password ,
> >  password and keyboard-interactive authentication are disabled for root.
> > +.Cm without-password
> > +is a deprecated alias for
> > +.Cm prohibit-password .
> >  .Pp
> >  If this option is set to
> >  .Cm forced-commands-only ,
> >
>
> i agree that we should not try to list all the other types that are
> valid, since it means one more thing to remember when things change.
> and means adding more text.
>
> i'm fine with your diff, but couldn;t resist having a stab myself:
>
> Index: sshd_config.5
> ===================================================================
> RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v
> retrieving revision 1.254
> diff -u -r1.254 sshd_config.5
> --- sshd_config.5 9 Oct 2017 20:12:51 -0000 1.254
> +++ sshd_config.5 13 Oct 2017 14:52:03 -0000
> @@ -1190,7 +1190,6 @@
>  The argument must be
>  .Cm yes ,
>  .Cm prohibit-password ,
> -.Cm without-password ,
>  .Cm forced-commands-only ,
>  or
>  .Cm no .
> @@ -1199,8 +1198,8 @@
>  .Pp
>  If this option is set to
>  .Cm prohibit-password
> -or
> -.Cm without-password ,
> +(or its deprecated alias,
> +.Cm without-password ) ,
>  password and keyboard-interactive authentication are disabled for root.
>  .Pp
>  If this option is set to
>

I had an OK from Ingo for mine, but I prefer your version. OK with me!

Reply | Threaded
Open this post in threaded view
|

Re: Proposal for sshd_config(5) man page

Jason McIntyre-2
In reply to this post by Walter Alejandro Iglesias-3
On Fri, Oct 13, 2017 at 05:51:49PM +0200, Walter Alejandro Iglesias wrote:

> In article <20171013145400.GA82524@harkle> Jason McIntyre <[hidden email]> wrote:
> > On Fri, Oct 13, 2017 at 02:01:17PM +0100, Stuart Henderson wrote:
> > > On 2017/10/13 12:57, Walter Alejandro Iglesias wrote:
> > > > In sshd_config(5), to avoid confusion with PermitRootLogin options.
> > > >
> > > > Original:
> > > >
> > > >   If this option is set to *prohibit-password* or *without-password*,
> > > >   password and keyboard-interactive authentication are disabled for
> > > >   root.
> > > >
> > > > Proposed:
> > > >
> > > >   If this option is set to *prohibit-password* (renamed from
> > > >   *without-password* to avoid ambiguity, both valid) only non
> > > >   keyboard-interactive authentication (public-key, hostbased and GSSAPI)
> > > >   is allowed for root.
> > >
> > > How about a briefer alternative that points people towards the
> > > more self-explanatory option keyword?
> > >
> > > Index: sshd_config.5
> > > ===================================================================
> > > RCS file: /cvs/src/usr.bin/ssh/sshd_config.5,v
> > > retrieving revision 1.254
> > > diff -u -p -r1.254 sshd_config.5
> > > --- sshd_config.5     9 Oct 2017 20:12:51 -0000       1.254
> > > +++ sshd_config.5     13 Oct 2017 12:59:14 -0000
> > > @@ -1198,10 +1198,11 @@ The default is
> > >  .Cm prohibit-password .
> > >  .Pp
> > >  If this option is set to
> > > -.Cm prohibit-password
> > > -or
> > > -.Cm without-password ,
> > > +.Cm prohibit-password ,
> > >  password and keyboard-interactive authentication are disabled for root.
> > > +.Cm without-password
> > > +is a deprecated alias for
> > > +.Cm prohibit-password .
> > >  .Pp
> > >  If this option is set to
> > >  .Cm forced-commands-only ,
> > >
> >
> > i agree that we should not try to list all the other types that are
> > valid, since it means one more thing to remember when things change.
> > and means adding more text.
> >
> > i'm fine with your diff, but couldn;t resist having a stab myself:
>
> The first paragraph is the more important.  I like this version.
>
>

i just committed it. thanks for your mail.
jmc

Reply | Threaded
Open this post in threaded view
|

Re: Proposal for sshd_config(5) man page

Walter Alejandro Iglesias-3
In reply to this post by Stuart Henderson
In article <[hidden email]> Stuart Henderson <[hidden email]> wrote:
> I had an OK from Ingo for mine, but I prefer your version. OK with me!
>

One more (funny) thing.

After reading the man page, besides reading some info in the openssh
site I googled bit about the issue.  In some ubuntu forum someone was
asking what the entry "PermitRootLogin without-password" in his
sshd_config file really meant.  He thought he was allowing to log in as
root with a blank password.

I mean, don't fully trust in the effectiveness of self-explanatory
keywords. :-)

Reply | Threaded
Open this post in threaded view
|

Re: Proposal for sshd_config(5) man page

Stuart Henderson
On 2017/10/13 20:25, Walter Alejandro Iglesias wrote:

> In article <[hidden email]> Stuart Henderson <[hidden email]> wrote:
> > I had an OK from Ingo for mine, but I prefer your version. OK with me!
> >
>
> One more (funny) thing.
>
> After reading the man page, besides reading some info in the openssh
> site I googled bit about the issue.  In some ubuntu forum someone was
> asking what the entry "PermitRootLogin without-password" in his
> sshd_config file really meant.  He thought he was allowing to log in as
> root with a blank password.
>
> I mean, don't fully trust in the effectiveness of self-explanatory
> keywords. :-)
>

That is *exactly* why "prohibit-password" was added.