[Trisquel-devel] Important: Insecure SSHD defaults

[Luke]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,
This was recently brought up on the forums, and I have confirmed the
security risk. https://trisquel.info/en/forum/ssh-server-enabled-default

1) User installs trisquel, uses simple local password that is easy to
remember.

2) SSHD is installed on the box on default port, with password
authentication, and NO KEY based auth by default and given access to
all interfaces

Meaning:
* Most users are not aware of the default, and it is not even enabled
 by your upstream (Ubuntu).

* Brute force or dictionary attack by remote attackers on this
standard port is extremely easy.

* Defaults are messed up:
Port 22
PermitRootLogin Yes <--- ???
PasswordAuthentication yes
LoginGraceTime 120 <-- fairly nice for bruteforcing.


Solution:
SSHD can be left as an installed package, but should be completely OFF
by default. Alternatively the defaults should disable password
authentication, move the default port, shorten the grace time... and
even then, for the average desktop user I don't see the use for this
application.




-----BEGIN PGP SIGNATURE-----

iQEcBAEBAgAGBQJTB/W+AAoJEJ6DCuZ5py6jaocH/jNHOnMIxA8JWcQBerngmw9w
apZlHqYhwABlGSHJ9FQYvnSJIPj5FRYV9IKFzsQ7EozEJKKcbe6P3T4/Rte/6VlE
OmZ3x35GE4nYaDwpul08WBc4Tg+Hth+pEUFCyzCdXhLc4xnyVE5mvrfWaPtTUczB
6vBuz9hxySPNB+cKvhC39Y0mzlG1NN6YOdApDCKGtF+V8U0pHAZmrDXtoyWjiMAA
yWh88/I7sICGL3sB8q0wFgtqgUsr7xGNDF9kjHACtutmgR7M5kvKB5h4oTZn+6Cm
qtQqFNGErTgKrriH3CMP+GMMnvSKJ4Hscv/9gWpbgwkp/h8iKdqwlIUtC0ctwGs=
=dCLB
-----END PGP SIGNATURE-----