Difference between revisions of "Vuln ssh passwdauth"

From Atomicorp Wiki
Jump to: navigation, search
m (Created page with "'''Vulnerability''' System allows password based authentication '''Explanation''' Passwords are the simplest and most easily defeated form of authentication. Passwords can be...")
 
m
 
Line 8: Line 8:
  
 
Linux offers other forms of authentication, such as key based authentication, which is much stronger than passwords.  For example, keys can not be guessed or brute forced.  A key would need to stolen by an attacker, and the credentials to access it would also need to be stolen.
 
Linux offers other forms of authentication, such as key based authentication, which is much stronger than passwords.  For example, keys can not be guessed or brute forced.  A key would need to stolen by an attacker, and the credentials to access it would also need to be stolen.
 +
 +
= Next Steps =
 +
 +
If this risk is unacceptable for your system, then you will want to disable this capability in PHP.
 +
 +
Step 1: Log into the ASL GUI, click on Configuration and select the ASL configuration menu option.  This will open the ASL configuration screen. 
 +
 +
Step 2: Scroll down to PHP_CHECKS and make sure this is set to "yes".  By default ASL will only warn about PHP vulnerabilities.  If you set this to yes, it will also fix these vulnerabilities.  If this is set to "no" the next step will not work, so set this to "yes".
 +
 +
Step 3: Scroll down to SSH_PASSWORD_AUTH and set this to "no".
 +
 +
Step 4: Click the "update" button.
 +
 +
This will resolve this vulnerability.

Latest revision as of 19:19, 10 February 2012

Vulnerability

System allows password based authentication

Explanation

Passwords are the simplest and most easily defeated form of authentication. Passwords can be stolen, either directly or via software such as viruses or malware, or may be guessed or brute forced.

Linux offers other forms of authentication, such as key based authentication, which is much stronger than passwords. For example, keys can not be guessed or brute forced. A key would need to stolen by an attacker, and the credentials to access it would also need to be stolen.

[edit] Next Steps

If this risk is unacceptable for your system, then you will want to disable this capability in PHP.

Step 1: Log into the ASL GUI, click on Configuration and select the ASL configuration menu option. This will open the ASL configuration screen.

Step 2: Scroll down to PHP_CHECKS and make sure this is set to "yes". By default ASL will only warn about PHP vulnerabilities. If you set this to yes, it will also fix these vulnerabilities. If this is set to "no" the next step will not work, so set this to "yes".

Step 3: Scroll down to SSH_PASSWORD_AUTH and set this to "no".

Step 4: Click the "update" button.

This will resolve this vulnerability.

Personal tools