This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: SSHD installation defaults / security


On Mon, 11 Oct 2004, Corinna Vinschen wrote:

> On Oct 11 13:29, Jochen Wezel wrote:
> > Hi!
> >
> > I've installed today the current release of cygwin (1.5.11-1) with
> > OpenSSH package.
> >
> > There are 2 issues:
> >
> > 1. This package (or at least the ssh-host-config script) depends on
> > cygserver
>
> Neither the package nor ssh-host-config depend on cygserver.  Dunno how
> you get the idea.  Do you mean cygrunsrv?  Yes, the ssh-host-config
> script depends on it *iff* you answer the question to install sshd as a
> service.
>
> I'm not sure if the package should require cygrunsrv, though.  The
> /usr/share/doc/Cygwin/openssh.README file mentions that cygrunsrv is
> required to install sshd as service on NT systems.

Well, in the spirit of CGF's comment about tetex-x11 requiring X because
of xdvi (see <http://cygwin.com/ml/cygwin-apps/2004-10/msg00163.html>),
perhaps openssh *should* require cygrunsrv.

> > 2. After installation, the /etc/sshd_config file allows SSH protocol 1
> > by default. Since this protocol 1 has a coneceptual security hole, it
> > should not be available after standard setup. If somebody requires it,
> > he had to manually configure the sshd_config. That's why I suggest to
> > change that file to:
> >
> > Port 22
> > Protocol 2 #,1			# <-- activate protocol version 1 here, if
> > you really require it
> > #ListenAddress 0.0.0.0
> > #ListenAddress ::
> >
> > Please can the developers do these changes?
>
> The above installation of /etc/sshd_config is, except for a small Cygwin
> specific tweak, the same sshd_config file as you get it when building
> and installing OpenSSH from scratch.  There's no reason to change that
> unless the core developers of OpenSSH decide to install it differently.

IOW, Jochen, take it up with the upstream openssh team...
	Igor
-- 
				http://cs.nyu.edu/~pechtcha/
      |\      _,,,---,,_		pechtcha@cs.nyu.edu
ZZZzz /,`.-'`'    -.  ;-;;,_		igor@watson.ibm.com
     |,4-  ) )-,_. ,\ (  `'-'		Igor Pechtchanski, Ph.D.
    '---''(_/--'  `-'\_) fL	a.k.a JaguaR-R-R-r-r-r-.-.-.  Meow!

"Happiness lies in being privileged to work hard for long hours in doing
whatever you think is worth doing."  -- Dr. Jubal Harshaw

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]