<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Thu, Sep 25, 2014 at 11:10 PM, Bill Christensen <span dir="ltr"><<a href="mailto:billc_lists@greenbuilder.com" target="_blank">billc_lists@greenbuilder.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Anyone got any?<br></blockquote></div><div class="gmail_extra"><br></div>OS X out of the box is less vulnerable than some because its DHCP client doesn't use scripts that pass DHCP options in the environment (at least as far as I, and everyone I've talked to so far who has some clue, can tell) and, while it has Apache in the default configuration ("Web Sharing"), it's generally off by default and the default CGI directory (/Library/WebServer/CGI-Executables) is empty. sshd does pass $TERM so in theory could be compromised when someone logs in remotely, but "Remote Login" is also disabled by default and note that the sshd route can only be used if someone can authenticate.</div><div class="gmail_extra"><br></div><div class="gmail_extra">On general principles, not just ShellShock, I would limit sshd to particular accounts via the GUI, edit /etc/sshd_config to disable root login with anything but a key (or possibly not even that) by ensuring "ChallengeResponseAuthentication no" ("KeyboardInteractive no" on older OS X / sshd) and "PermitRootLogin" either "no" or "without-password". (I think there is a corner case here where "PermitRootLogin without-password" and "ChallengeResponseAuthentication yes" / "KeyboardInteractive yes" will allow root to authenticate via PAM password? In any case, it's probably best to only allow pubkey login across the board, given how ssh servers get attacked these days.)<br clear="all"><div><br></div>-- <br><div dir="ltr"><div>brandon s allbery kf8nh sine nomine associates</div><div><a href="mailto:allbery.b@gmail.com" target="_blank">allbery.b@gmail.com</a> <a href="mailto:ballbery@sinenomine.net" target="_blank">ballbery@sinenomine.net</a></div><div>unix, openafs, kerberos, infrastructure, xmonad <a href="http://sinenomine.net" target="_blank">http://sinenomine.net</a></div></div>
</div></div>