Re: SSHD installation defaults / security

[Corinna Vinschen <corinna-cygwin at cygwin dot com>]

On Oct 11 13:29, Jochen Wezel wrote:
> Hi!
> 
> I've installed today the current release of cygwin (1.5.11-1) with OpenSSH
> package.
> 
> There are 2 issues:
> 
> 1. This package (or at least the ssh-host-config script) depends on
> cygserver

Neither the package nor ssh-host-config depend on cygserver.  Dunno how
you get the idea.  Do you mean cygrunsrv?  Yes, the ssh-host-config script
depends on it *iff* you answer the question to install sshd as a service.

I'm not sure if the package should require cygrunsrv, though.  The
/usr/share/doc/Cygwin/openssh.README file mentions that cygrunsrv is
required to install sshd as service on NT systems.

> 2. After installation, the /etc/sshd_config file allows SSH protocol 1 by
> default. Since this protocol 1 has a coneceptual security hole, it should
> not be available after standard setup. If somebody requires it, he had to
> manually configure the sshd_config. That's why I suggest to change that file
> to:
> 
> Port 22
> Protocol 2 #,1			# <-- activate protocol version 1 here, if
> you really require it
> #ListenAddress 0.0.0.0
> #ListenAddress ::
> 
> Please can the developers do these changes?

The above installation of /etc/sshd_config is, except for a small Cygwin
specific tweak, the same sshd_config file as you get it when building and
installing OpenSSH from scratch.  There's no reason to change that unless
the core developers of OpenSSH decide to install it differently.


Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Project Co-Leader          mailto:cygwin@cygwin.com
Red Hat, Inc.

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/