SSHd

[Arthur Pemberton]

I am not qualified to respond to the issue faced with headless
machines as I have never had the need to do such myself (though this
thread makes me want to give it a try) however, on a per user basis, I
think it is safe to say that the majority of users do not utilize this
method of installation, so maybe those who are in the know can devise
a way to have root off by default.

While the bots going around guess most usernames, they will always get
'root' and 'ftp' right on a standard install. At least 'ftp' has the
nologin shell. Both easily allowing weak password, and having root
able to remotely login by default seems to be leaving open a
semi-obvious attack vector that need not be.

Slightly off-topic however, we might consider banning the creation or
remote login of the more commonly attacked usernames (not considering
root as there is the previosly described problem).

Peace.