Abotu setting 'PermitRootLogin=no' in sshd_config

P J P pj.pandit at yahoo.co.in
Thu Nov 27 11:13:49 UTC 2014


  Hello Tomas,

> On Thursday, 27 November 2014 3:05 PM, Tomas Mraz wrote:
>> ----- Original Message -----
>> On Wed, Nov 26, 2014 at 11:48 AM, Scott Schmit   wrote:
>>
>> Look, this is a basic system configuration. It's not "Cripple Mr.
>> Onion". Pick *one* setting, and let people know from that whether
>> they'll need to manipulate their local environments for their
>> particular subtle needs.
>> 
> 
> Exactly! The more I think about this Change the more I am having an
> opinion that we should reject it altogether. In fact this change does not
> really bring any real security improvement because for the Workstation
> the sshd is already disabled completely by default and for the other products
> the people who are installing them can be expected to know what they are doing.

  That's not a prudent expectation.

> Also disabling root access does not improve security against targeted attacks
> because in such cases the user name can be quite easily inferred. So basically
> this feature is just a 'marketing' improvement and not worth the hassle.


  I disagree.

Just because it is easy to infer non-root user names does not mean we tell people it is 'root'. Secondly, it might be easy for you to infer such names, not for everyone. The increased difficulty level that is added by not allowing remote root login could help to thwart lot of real & automated attacks.[1] Thirdly, it need not have to be entirely about security, it's also about picking the right default configuration. Same as disabling sshd(8) in Workstation by default. As Scott wrote above

   ...Pick *one* setting, and let people know from that...

This feature, like any other, requires users to tweak their current practices to suite the new defaults. That is no reason to not do it; Because in the longer run it is only beneficial.

[1] https://lists.fedoraproject.org/pipermail/security/2014-November/002031.html
---
Regards
   -Prasad
http://feedmug.com


More information about the devel mailing list