Date: Sat, 6 Oct 2001 12:24:20 +0200 (CEST) From: Oliver Fromme <olli@secnetix.de> To: freebsd-stable@FreeBSD.ORG Subject: Re: Why sshd:PermitRootLogin = no ? Message-ID: <200110061024.MAA23902@lurza.secnetix.de> In-Reply-To: <200110052040.f95KeTw84982@earth.backplane.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Matt Dillon <dillon@earth.backplane.com> wrote: > Yes, exactly so. Though I don't think it would hurt to change > the default to: > > PermitRootLogin without-password > > Which means that root can only login using a pre-authenticated > method such as an SSH key pair (aka ~root/.ssh/authorized_keys), or > kerberos. Passworded logins are still disallowed. There are installations where people don't want root logins to be enabled, whether with password or not. This includes many of the machines I am responsible for -- If the default was changed, I'd have to edit sshd_config and replace "without-password" with "no" everywhere. This is not necessarily a matter of security. Although there are certainly ultra-paranoid folks who prefer to have a setting of "no" for security reasons, or rather for a better feeling, but anyway, if they want it to be "no", it's their decision, and it's certainly not wrong to set it that way. On the other hand, on many sites it is simply disallowed for admins to login as root, because it circumvents administrative concepts, in particular when there are multiple persons in charge for administration. Just one example: When you login as user, then su to root and type shutdown, your actual userid will be logged along with the shutdown messages (and even if it didn't, you can see in wtmp who was logged in at that time). If you login as root and shutdown, you can't say later who did the shutdown. Therefore it is often a very good thing to disallow root logins right away, no matter whether with password, s/key, RSA key, Kerberos or whatever. Therefore I'd vote for keeping the setting at the "minimum" possible (i.e. "no"). I think this is also what most people would expect (see POLA). Just my 0.02 Euro. Regards Oliver -- Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "All that we see or seem is just a dream within a dream" (E. A. Poe) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200110061024.MAA23902>