Does a known security issue allow ssh login via system accounts?

Jim Knoble jmknoble at pobox.com
Wed Mar 2 04:49:39 AEDT 2022


I would echo Alexander's comment from up-thread and recommend failing closed, not open[*], by using 'AllowUsers' with a group containing the only users who should be able to ssh.  (Whether you include root in that group depends on your use case).

____________________

[*]: If another system account is added to the machine and you don't add that account to the DenyUsers line, the new system account may be vulnerable to the same attack.

-- 
jmk

> On Mar 1, 2022, at 09:19, Whit Blauvelt <whit at transpect.com> wrote:
> 
> Adding a DenyUsers line in sshd_config
> listing all the system user accounts works to block this intrusion, and will
> be my standard practice now.



More information about the openssh-unix-dev mailing list