On Sat, 14 May 2011 23:15:33 +0900 Joel Rees <joel.r...@gmail.com> wrote:
... > Disable root login on ssh entirely. (/etc/ssh/sshd_config has that > enabled in my more-or-less default install. That is, I think, so you > don't find yourself in a catch-22 when installing remotely. Should be > in a list of things to do afterboot.) >From /usr/share/doc/openssh-server/README.Debian: > PermitRootLogin set to yes > -------------------------- > > This is now the default setting (in line with upstream), and people > who asked for an automatically-generated configuration file when > upgrading from potato (or on a new install) will have this setting in > their /etc/ssh/sshd_config file. > > Should you wish to change this setting, edit /etc/ssh/sshd_config, and > change: > PermitRootLogin yes > to: > PermitRootLogin no > > Having PermitRootLogin set to yes means that an attacker that knows > the root password can ssh in directly (without having to go via a user > account). If you set it to no, then they must compromise a normal user > account. In the vast majority of cases, this does not give added > security; remember that any account you su to root from is equivalent > to root - compromising this account gives an attacker access to root > easily. If you only ever log in as root from the physical console, > then you probably want to set this value to no. > > As an aside, PermitRootLogin can also be set to "without-password" or > "forced-commands-only" - see sshd(8) for more details. > > DO NOT FILE BUG REPORTS SAYING YOU THINK THIS DEFAULT IS INCORRECT! > > The argument above is somewhat condensed; I have had this discussion > at great length with many people. If you think the default is > incorrect, and feel strongly enough to want to argue about it, then > send email to debian-...@lists.debian.org. I will close bug reports > claiming the default is incorrect. Celejar -- foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110520132526.e4e508cb.cele...@gmail.com
