PHK's MD5 might not be slow enough anymore

Doug Barton dougb at
Mon Feb 1 20:29:51 UTC 2010

On 02/01/10 10:24, Matthew Dillon wrote:
>      If you don't need PAM's extra features for your sshd access (which is
>      most people) then turn PAM off in your sshd_config to work around the
>      base code change that DES made.  Then the other options will work as
>      intended.  And, just to be safe, also turn off the challenge-response
>      option.
> 	UsePAM no
> 	ChallengeResponseAuthentication no
> 	PasswordAuthentication no

I agree that turning PAM off whenever possible is a good thing. It 
should also be noted that regardless of what appears in the default 
config file those options should be uncommented so that you can be sure 
they will be effective across updates.

For the old-school paranoids (like me) the following options are also of 
interest "just in case":

RhostsRSAAuthentication no
HostbasedAuthentication no
IgnoreRhosts yes




	Improve the effectiveness of your Internet presence with
	a domain name makeover!

	Computers are useless. They can only give you answers.
			-- Pablo Picasso

More information about the freebsd-security mailing list