Abotu setting 'PermitRootLogin=no' in sshd_config
Nico Kadel-Garcia
nkadel at gmail.com
Mon Nov 24 05:55:15 UTC 2014
On Sun, Nov 23, 2014 at 7:44 PM, Dennis Gilmore <dennis at ausil.us> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Fri, 21 Nov 2014 07:11:27 +0000 (UTC)
> P J P <pj.pandit at yahoo.co.in> wrote:
>
>> Hello,
>>
>> Sshd(8) daemon by default allows remote users to login as root.
>>
>> 1. Is that really necessary?
>> 2. Lot of users use their systems as root, without even creating a
>> non-root user. Such practices need to be discouraged, not allowing
>> remote root login could be useful in that.
>>
>> Does it make sense to disable remote root login by default? If so, do
>> we need to just report it to the maintainer or it would be treated as
>> a feature?
>
> I think its a bad idea, but I say so as a user that when installing a
> new system, especially a remove vm will log in as root via ssh and
> join the machine post install to my ipa domain.
>
> Dennis
This is an old, old, subject and debate in the SSH community. Every
time people try to change defaults, it can and *wll* break existing
practices, even if the defaults are a security problem and should have
been changed a decade ago.
Personally? I'd *love* to see the default allow root direct login
directly only from ""localhost". That means a 'Match Host' change to
re-enable PermitRootLogin only if the connection is from localhost,
which is a bit more sophisticated than just turning PermitRootlLogin
on or off. Plus, I don't know if you've looked lately, but some people
*really* screw up "localhost" settings in /etc/hosts as they try to
get clever with shoving the FQDN into the loopback IP addresses, and
hilarity ensues.
More information about the devel
mailing list