PHK's MD5 might not be slow enough anymore
Doug Barton
dougb at FreeBSD.org
Mon Feb 1 20:29:51 UTC 2010
On 02/01/10 10:24, Matthew Dillon wrote:
> If you don't need PAM's extra features for your sshd access (which is
> most people) then turn PAM off in your sshd_config to work around the
> base code change that DES made. Then the other options will work as
> intended. And, just to be safe, also turn off the challenge-response
> option.
>
> UsePAM no
> ChallengeResponseAuthentication no
> PasswordAuthentication no
I agree that turning PAM off whenever possible is a good thing. It
should also be noted that regardless of what appears in the default
config file those options should be uncommented so that you can be sure
they will be effective across updates.
For the old-school paranoids (like me) the following options are also of
interest "just in case":
RhostsRSAAuthentication no
HostbasedAuthentication no
IgnoreRhosts yes
hth,
Doug
--
Improve the effectiveness of your Internet presence with
a domain name makeover! http://SupersetSolutions.com/
Computers are useless. They can only give you answers.
-- Pablo Picasso
More information about the freebsd-security
mailing list