On 23/03/16 12:02, Adam Borowski wrote: > On Wed, Mar 23, 2016 at 11:44:30AM +1300, Daniel Reurich wrote: >> On 23/03/16 11:35, Adam Borowski wrote: >>> I hope you know that, since jessie, password remote logins for >>> root are disabled unless you enable them yourself. >>> >> I think this is problematic and should be prompted for during the >> install - like I'm pretty sure it was during the install of >> wheezy... >> >> Seen we're already rebuilding openssh I'll look into it if someone >> will do me a favour and create an issue against that project in >> git.devuan.org > > Uhm, why? That's a reasonable default.
Because it prevents being able to do a minimal install with only a root user setup (which is how I normally setup servers) and being able to ssh in post-install using a password in order to be able to install my ssh pubkey. (From the standard installer it's impossible to pre-load an ssh key during the install without pre-seeding). > If someone wants that badly to enable remote passwords for root, they > can edit /etc/ssh/sshd_config, same as for any dubious security > practice. In the meantime, the rest of us either log as an user > first or use keypairs. > > And as so many people use weak passwords, disabling this avenue of > attack by default is important. I disagree. It's really no less secure then having a user account with a user that has a weak password being able to sudo to root. -- Daniel Reurich Centurion Computer Technology (2005) Ltd. 021 797 722
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Dng mailing list [email protected] https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
