Update sshd-pfs_config #57
Conversation
Added more detail for a strong sshd_config file
|
This definitely looks like an improvement, but what is the shortened LoginGraceTime for? |
| StrictModes yes | ||
|
|
||
| # Prevent privilege escalation - keeps any corruption within an unprivileged processes | ||
| UsePrivilegeSeparation yes |
There was a problem hiding this comment.
A better value for this setting is sandbox. Here's the description from the manpage:
If UsePrivilegeSeparation is set to “sandbox” then the pre-authentication unprivileged process is subject to additional restrictions.
There was a problem hiding this comment.
@fmarier - Thanks François, I didn't know about the sandbox setting!
There was a problem hiding this comment.
@GigabyteProductions - Just to reduce the amount of time the system is listening to an unauthenticated user; I was coming from a viewpoint of "minimum possible access", and didn't see the point in giving people a whole 120 seconds of airtime. There may be no security value in it, but there might be a new 0-day at some point or something.
Changed PrivilegeSeparation to sandbox (thanks, @fmarier!) Added VERBOSE log level Added 4096-bit RSA key (usually 1024 or 2048 bit created on initial system install)
Added more detail for a strong sshd_config file