From owner-freebsd-stable  Fri Oct  5 17:57:19 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67])
	by hub.freebsd.org (Postfix) with ESMTP id 93A9037B401
	for <stable@FreeBSD.ORG>; Fri,  5 Oct 2001 17:57:16 -0700 (PDT)
Received: (from dillon@localhost)
	by earth.backplane.com (8.11.6/8.11.2) id f960vBs86348;
	Fri, 5 Oct 2001 17:57:11 -0700 (PDT)
	(envelope-from dillon)
Date: Fri, 5 Oct 2001 17:57:11 -0700 (PDT)
From: Matt Dillon <dillon@earth.backplane.com>
Message-Id: <200110060057.f960vBs86348@earth.backplane.com>
To: steve@Watt.COM (Steve Watt)
Cc: stable@FreeBSD.ORG
Subject: Re: Why sshd:PermitRootLogin = no ?
References: <5.1.0.14.0.20011005120304.009f8590@127.0.0.1> <200110052040.f95KeTw84982@earth.backplane.com> <20011005165350.A22343@techsquare.com> <200110052058.f95KwSR85154@earth.backplane.com> <20011005170619.A42459@techsquare.com> <200110052314.f95NEAt79407@wattres.Watt.COM>
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG


:
:dillon@earth.backplane.com wrote:
:>    I'm afraid I don't understand your point.  If without-password
:>    makes sshd useful to a larger subsection of users without effecting
:>    security on the original subsection, why wouldn't you want to make
:>    the change?  Just because it may not make a difference for YOU doesn't
:>    mean that it wouldn't be a useful change to make.
:
:But it *can't* make it useful to any more users.  How do you get the
:authorized-hosts file updated?  You edit it.  How do you get the
:configuration changed to without-password from none?  You edit it.
:
:Same work, no obvious advantage to without-password over no, and better
:obvservance of "install in the most secure way possible".  Just like
:the discard port is disabled in inetd.conf -- same concept.
:
:-- 
:Steve Watt KD6GGD  PP-ASEL-IA          ICBM: 121W 56' 57.8" / 37N 20' 14.9"

    I see.  And at what point does editing N files make it 'easier'?  4? 5?
    If we were to cut the number of files you had to edit to get X to work
    from 5 to 3 would that be worthwhile enough to do a commit?  What 
    exactly are you arguing here?  Because I don't see it.

    Frankly I think being able to go from 2 files to 1 to get something done,
    like creating an authorized_keys file for root, is well worth the commit
    if there are otherwise no downsides.  I don't see any downsides to doing
    this except for a few people who seem to be arguing that status-quo is
    better then fixing something even if fixing that something has absolutely
    no effect on them.

						-Matt


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message