Hi, Ever since 'without-password' became an option, I've thought it would make a better default (and I actually used to patch it that way when I was the Debian Maintainer. My successors think that it's more important to minimise the size of the patch, which is also a reasonable point). The thing that prompted me to finally mention this here, is this story: http://bsdly.blogspot.ca/2013/10/the-hail-mary-cloud-and-lessons-learned.html and the unsurprising fact that the most popular account to guess is 'root', as seen here: http://home.nuug.no/~peter/hailmary2013/2008nov19/slowbrutes.data/massage/hail-mary-users-by-frequency.txt I imagine that this issue seems a little irrelevant on this list, as we're all perfectly capable of setting whatever value we want in the sshd_config, but that's not the point. The point is that the default set here is then inherited by the maintainers of the packages for various OSs, and then offered to users as the default value. Some of those users are not very competent, and will have chosen worthless passwords when setting up the system, and are not necessarily aware of quite what they are doing when installing sshd. For example, I can imagine someone being told that they can improve the security of their server if they switch from using ftp to sftp for uploads and not realising that the useless root password is going to be placed in the firing line for these attacks if they follow that advice. I don't know if the best route is to actually change the default in the binary, or perhaps to supply the default sshd_config with the setting in place, or even just to strongly recommend that distributions ensure that 'without-password' is the setting that new installs get by default unless the user requests otherwise. It is of course important that any change avoids the risk of locking people out of systems when they upgrade them via an ssh connection. It probably seems to many here that this is a problem that the distributions need to handle, and I'd mostly agree with that, but since the distributions look here for guidance I's suggest that any change needs to come from the top. Thoughts? Cheers, Phil. P.S. This could have been a bug report, and I'll happily submit a bug if there's a consensus about this, but I know that people have held differing views about this, and I didn't want to clog the bug tracker with a massive argument -- I hope we can avoid that on the mailing list too :-) -- |)| Philip Hands [+44 (0)20 8530 9560] http://www.hands.com/ |-| HANDS.COM Ltd. http://www.uk.debian.org/ |(| 10 Onslow Gardens, South Woodford, London E18 1NE ENGLAND -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20131006/3eaa0ed7/attachment.bin>
On 10/5/2013 8:24 PM, Philip Hands wrote:> Hi, > > Ever since 'without-password' became an option, I've thought it would > make a better default (and I actually used to patch it that way when I > was the Debian Maintainer. My successors think that it's more important > to minimise the size of the patch, which is also a reasonable point). > > The thing that prompted me to finally mention this here, is this story: > > http://bsdly.blogspot.ca/2013/10/the-hail-mary-cloud-and-lessons-learned.html > > and the unsurprising fact that the most popular account to guess is > 'root', as seen here: > > http://home.nuug.no/~peter/hailmary2013/2008nov19/slowbrutes.data/massage/hail-mary-users-by-frequency.txt > > I imagine that this issue seems a little irrelevant on this list, as > we're all perfectly capable of setting whatever value we want in the > sshd_config, but that's not the point. > > The point is that the default set here is then inherited by the > maintainers of the packages for various OSs, and then offered to users as > the default value. > > Some of those users are not very competent, and will have chosen > worthless passwords when setting up the system, and are not necessarily > aware of quite what they are doing when installing sshd. > > For example, I can imagine someone being told that they can improve the > security of their server if they switch from using ftp to sftp for > uploads and not realising that the useless root password is going to be > placed in the firing line for these attacks if they follow that advice. > > I don't know if the best route is to actually change the default in the > binary, or perhaps to supply the default sshd_config with the setting in > place, or even just to strongly recommend that distributions ensure that > 'without-password' is the setting that new installs get by default > unless the user requests otherwise. > > It is of course important that any change avoids the risk of locking > people out of systems when they upgrade them via an ssh connection. > > It probably seems to many here that this is a problem that the > distributions need to handle, and I'd mostly agree with that, but since > the distributions look here for guidance I's suggest that any change > needs to come from the top. > > Thoughts?PermitRootLogin Yes is very much not secure by default. I run my systems as 'without-password' as well. That or 'No' would be a much more sane default IMHO.> > Cheers, Phil. > > P.S. This could have been a bug report, and I'll happily submit a bug if > there's a consensus about this, but I know that people have held > differing views about this, and I didn't want to clog the bug tracker > with a massive argument -- I hope we can avoid that on the mailing list > too :-) >-- Regards, Bryan Drewery bdrewery at freenode/EFNet
Possibly Parallel Threads
- PermitRootLogin default (was: "PermitRootLogin no" should not proceed with root login)
- "PermitRootLogin no" fails
- 3.7.1P2, PermitRootLogin and PAM with hidden NISplus passwords
- sshd: ssh_config default setting - PermitRootLogin yes
- "PermitRootLogin no" should not proceed with root login