Git-Mirrors/security-misc
1
0
Fork 0
mirror of https://github.com/Kicksecure/security-misc.git synced 2025-06-07 17:32:38 -04:00
Code Issues Projects Releases Packages Wiki Activity

permission hardener: disable SUID for ssh-agent, ssh-keysign, /lib/openssh/*

Browse source 
This might break SSH host-based authentication.
This commit is contained in:
Patrick Schleizer 2025-01-14 04:06:44 -05:00
parent d89ffcde30
commit 7a5f8b87af
No known key found for this signature in database
GPG key ID: CB8D50BB77BB3C48
1 changed files with 8 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

12
usr/lib/permission-hardener.d/25_default_whitelist_ssh.conf
View file

@ -5,7 +5,11 @@
## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
## configuration. When security-misc is updated, this file may be overwritten. ## configuration. When security-misc is updated, this file may be overwritten.
## TODO: research ## Used only for SSH host-based authentication
ssh-agent matchwhitelist ## https://linux.die.net/man/8/ssh-keysign
ssh-keysign matchwhitelist ## Needed to allow access to the machine's host key for use in the
/lib/openssh matchwhitelist ## authentication process. This is a non-default method of authenticating to
## SSH, and is likely rarely used, thus this should be safe to disable.
#ssh-agent matchwhitelist
#ssh-keysign matchwhitelist
#/lib/openssh matchwhitelist