On Tue, Jul 03, 2007 at 10:57:04PM +0000, Adam D. Barratt wrote: > On Tue, 2007-07-03 at 17:17 -0500, Bob Tanner wrote: > > Did a new install of lenny amd64 and I was surprised that 'PermitRootLogin > > yes' > > was default setting in /etc/ssh/sshd_config. Is there a reason for this? > > Seem > > insecure. > > As far as I can see, it's been the default since January 2003.
July 2001, actually. > Please see README.Debian. Specifically: > > Having PermitRootLogin set to yes means that an attacker that > knows the root password can ssh in directly (without having to > go via a user account). If you set it to no, then they must > compromise a normal user account. In the vast majority of > cases, this does not give added security > [...] > DO NOT FILE BUG REPORTS SAYING YOU THINK THIS DEFAULT IS > INCORRECT! > > The argument above is somewhat condensed; I have had this > discussion at great length with many people. If you think the > default is incorrect, and feel strongly enough to want to > argue with me about it, then send me email to > [EMAIL PROTECTED] I will close bug reports claiming the > default is incorrect. > > I'm closing this report on the assumption that Colin's opinion is > similar. I'm of the same opinion, for much the same reasons as cited at more length in README.Debian. Note that this is *not* a Debian change; the upstream default is also to enable PermitRootLogin, and the change in July 2001 was simply to revert to that. > If not the documentation should be updated (which it probably > should be to remove Matthew's address anyway :) I think Matthew remains happy to argue with people about it. ;-) -- Colin Watson [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
