ssh X forwarding change in FC3
Nils Philippsen
nphilipp at redhat.com
Fri Jan 7 09:16:01 UTC 2005
On Thu, 2005-01-06 at 15:40 -0500, David Hollis wrote:
> On Thu, 2005-01-06 at 21:04 +0100, Alexander Dalloz wrote:
>
> >
> > No, that would be silly. Reverting a security improvement just because
> > users do not RTFM?
> >
> > As commented too in the bugzilla entry the change is made long ago in
> > the upstream OpenSSH. See the FAQ
> >
> > http://www.openssh.org/faq.html#3.12
> > http://www.openssh.org/faq.html#3.123
> >
> > > Pádraig Brady - http://www.pixelbeat.org
> >
> > Use OpenSSH properly and as documented and all is well.
> >
>
> I would like to see PermitRootLogin=no in the sshd_config file by
> default. If I'm not mistaken, that is the default for openssh out of
> the box, but the installed config (indicates anyway) that
> PermitRootLogin=yes. With things like the SSH password guessing worm
> running around, not allowing bad things to get in just because someones
> root password is weak is not a good thing.
Unfortunately this completely breaks remote installs (e.g. via VNC)
because you can install the machine but cannot log into it after
installation because you don't have a normal user to start with (that is
created in firstboot which didn't work over say serial console last I
checked).
IMO it'd be better to do some quality checks on the password assigned to
root during the installation and if it fails some dialog similar to the
one you get when you disable the firewall (which let's you proceed
anyway after a warning). Perhaps there could be a switch "Allow remote
root logins over SSH" in the same dialog where the root password is
specified.
Nils
--
Nils Philippsen / Red Hat / nphilipp at redhat.com
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety." -- B. Franklin, 1759
PGP fingerprint: C4A8 9474 5C4C ADE3 2B8F 656D 47D8 9B65 6951 3011
More information about the devel
mailing list