anti-shellshock suggestions

Brandon Allbery allbery.b at
Thu Sep 25 20:28:55 PDT 2014

On Thu, Sep 25, 2014 at 11:10 PM, Bill Christensen <
billc_lists at> wrote:

> Anyone got any?

OS X out of the box is less vulnerable than some because its DHCP client
doesn't use scripts that pass DHCP options in the environment (at least as
far as I, and everyone I've talked to so far who has some clue, can tell)
and, while it has Apache in the default configuration ("Web Sharing"), it's
generally off by default and the default CGI directory
(/Library/WebServer/CGI-Executables) is empty. sshd does pass $TERM so in
theory could be compromised when someone logs in remotely, but "Remote
Login" is also disabled by default and note that the sshd route can only be
used if someone can authenticate.

On general principles, not just ShellShock, I would limit sshd to
particular accounts via the GUI, edit /etc/sshd_config to disable root
login with anything but a key (or possibly not even that) by ensuring
"ChallengeResponseAuthentication no" ("KeyboardInteractive no" on older OS
X / sshd) and "PermitRootLogin" either "no" or "without-password". (I think
there is a corner case here where "PermitRootLogin without-password" and
"ChallengeResponseAuthentication yes" / "KeyboardInteractive yes" will
allow root to authenticate via PAM password? In any case, it's probably
best to only allow pubkey login across the board, given how ssh servers get
attacked these days.)

brandon s allbery kf8nh                               sine nomine associates
allbery.b at                                  ballbery at
unix, openafs, kerberos, infrastructure, xmonad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the macports-users mailing list