Abotu setting 'PermitRootLogin=no' in sshd_config

Thu Nov 27 09:35:04 UTC 2014

----- Original Message -----
> On Wed, Nov 26, 2014 at 11:48 AM, Scott Schmit <i.grok at comcast.net> wrote:
> > On Tue, Nov 25, 2014 at 09:56:59AM -0500, Simo Sorce wrote:
> >> On Sat, 22 Nov 2014 08:24:32 +0000 (UTC) P J P wrote:
> >> > > On Saturday, 22 November 2014 1:39 AM, Richard W.M. Jones wrote:
> >> > >> On Fri, Nov 21, 2014 at 09:11:51AM +0100, Florian Weimer wrote:
> >> > >> The latter.  We have to install authorized_keys inside the VM
> >> > >> anyway, so we can touch sshd_config, too.
> >> > >
> >> > > Virt-builder has a new '--ssh-inject' feature (in F22 only).
> >> > >
> >> > >   $ virt-builder fedora-20 --ssh-inject root
> >> > >
> >> > > would inject your current ssh key into the root account of the new
> >> > > VM. There are other variations, including ways to create a non-root
> >> > > user account, see:
> >> > >
> >> > > http://libguestfs.org/virt-builder.1.html
> >> >
> >> >   Excellent! :)
> >> >
> >> > So far the consensus seem that it is okay to reverse the current
> >> > default and set PermitRootLogin=no. I'll talk to the upstream
> >> > maintainer - plautrba(https://fedoraproject.org/wiki/User:Plautrba).
> >> >
> >> > Thank you.
> >>
> >> We can install machine w/o user accounts, removing the ability to log
> >> in as root via ssh means those machines will not be accessible.
> >>
> >> If you want to remove root access that should be conditionally done at
> >> firstboot only if a user account was created.
> >
> > It seems to me that we could tweak this somewhat: "only if a user
> > account was created OR remote users have been configured"
> 
> And in months that start with the letter "q", but not odd numbed
> weekdays, and if I ate a tuna fish sandwich for lunch, but not if I'm
> wearing white socks, and only on alternate years with a prime number,
> etc, etc., etc.
> 
> Look, this is a basic system configuration. It's not "Cripple Mr.
> Onion". Pick *one* setting, and let people know from that whether
> they'll need to manipulate their local environments for their
> particular subtle needs.
> 
> And for those who don't read Terry Pratchett stories,
> http://discworld.wikia.com/wiki/Cripple_Mr_Onion

Exactly! The more I think about this Change the more I am having an
opinion that we should reject it altogether. In fact this change does not
really bring any real security improvement because for the Workstation
the sshd is already disabled completely by default and for the other products
the people who are installing them can be expected to know what they
are doing.

Also disabling root access does not improve security against targeted attacks
because in such cases the user name can be quite easily inferred. So basically
this feature is just a 'marketing' improvement and not worth the hassle.

Tomas Mraz