Christoph Anton Mitterer
2015-Feb-21 23:53 UTC
PermitRootLogin default (was: "PermitRootLogin no" should not proceed with root login)
On Sat, 2015-02-21 at 23:36 +0000, Philip Hands wrote:> I'm glad to say that the default for the Debian packageUnfortunately, Debian overdid it quite a lot and also set a number of not so smart (respectively security-critical) defaults: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765632 So it's like 1:1 ;-) Cheers, Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5313 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150222/00b458e6/attachment.bin>
Philip Hands
2015-Feb-22 22:33 UTC
PermitRootLogin default (was: "PermitRootLogin no" should not proceed with root login)
Christoph Anton Mitterer <calestyo at scientia.net> writes:> On Sat, 2015-02-21 at 23:36 +0000, Philip Hands wrote: >> I'm glad to say that the default for the Debian package > Unfortunately, Debian overdid it quite a lot and also set a number of > not so smart (respectively security-critical) defaults: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765632 > > So it's like 1:1 ;-)Having looked at the bug you mention, I have to agree that the ForwardX11Trusted seems to have been misguided at the time it was applied, and now (over a decade later) seems just plain wrong. I've followed up on the bug to that effect, Cc-ing you, so you should have seen that. Cheers, Phil. P.S. I take it that you were not trying to say that there's anything you object to about the proposal to use "without-password" as the default? -- |)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd. |-| http://www.hands.com/ http://ftp.uk.debian.org/ |(| Hugo-Klemm-Strasse 34, 21075 Hamburg, GERMANY -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 818 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150222/95cf9264/attachment.bin>
Christoph Anton Mitterer
2015-Feb-22 22:53 UTC
PermitRootLogin default (was: "PermitRootLogin no" should not proceed with root login)
On Sun, 2015-02-22 at 22:33 +0000, Philip Hands wrote:> P.S. I take it that you were not trying to say that there's anything you > object to about the proposal to use "without-password" as the default?Yes,... the upstream default should be either without-password or simply no, actually, for security reasons I'd even prefer the later. In the days of fully automated installation, puppet and Co. it can't be so hard for sysadmins to change that value to something != no when this is what they really want. Distros, IMHO, can overwrite the defaults (if there's really good reason),... but only in the config files, where everyone sees this. Really changing the defaults in code is basically in most if not all cases plain wrong (the only exceptions I could think of is, when upstream would really set defaults which are horribly security critical or may cause data corruption or things like that). Cheers, Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5313 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150222/05ca1339/attachment.bin>