223843 – Security Handbook - Securing Services - obsolete/inaccurate information

Bug 223843 - Security Handbook - Securing Services - obsolete/inaccurate information

Summary: Security Handbook - Securing Services - obsolete/inaccurate information

Status:	RESOLVED FIXED

Alias:	None

Product:	[OLD] Docs on www.gentoo.org
Classification:	Unclassified
Component:	Other documents (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Sven Vermeulen (RETIRED)

URL:	http://www.gentoo.org/doc/en/security...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2008-05-27 14:34 UTC by kavol
Modified:	2008-06-16 15:58 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description kavol 2008-05-27 14:34:52 UTC

Hello,

I was trying to find out how to disable ssh log-in using password, leaving enabled only authorized_keys.

The guide says: "Also verify that you don't have UsePAM yes in your configuration file as it overrides the public key authentication mechanism." However, I have found that I can leave PAM on if I set "ChallengeResponseAuthentication" to "no" (which is not mentioned on that page).

While looking at the page, I also checked the Apache part. On my freshly installed system, SSL is on by default, user & group is set to apache by default, and ServerTokens are set to "Prod" by default ... so it is superfluous to mention these options. Also, the configuration is not within the file /etc/apache/conf/apache.conf

There may be other things on that page which would make sense to update ...

Reproducible: Always

Comment 1 Sven Vermeulen (RETIRED) gentoo-dev

2008-06-13 20:03:26 UTC

Thanks; I've updated the text to reflect this. Also verified that a pristine installation sets the various settings already.

Comment 2 kavol 2008-06-16 15:58:40 UTC

Thanks, perfect.