F22 System Wide Change: Set sshd(8) PermitRootLogin=no
P J P
pj.pandit at yahoo.co.in
Mon Jan 12 18:18:58 UTC 2015
Hello Paul,
> On Monday, 12 January 2015 11:18 PM, Paul Wouters wrote:
> What if I told you Neo, that there are no strong passwords?
> Passwords are weak. Some are less weak than others. I'd rather
> teach people to use ssh keys for remote access and only restrict
> passwords to console/physical access. That would be a good
> security lesson to teach.
Sure, I'm all for it.
>> Thirdly, as said in another thread, if we resort to using keys based
> authentication for 'root' account, it would lead to people using same
> mechanism for other accounts too.
>
> Excellent! even less password guessing possible!
Exactly!
> And again, ignoring the collateral damage. As people suggested, keep ssh
> key based root logins allowed.
Sure, that's absolutely fine with me. It seems maybe you missed my earlier email wherein I said, how we restrict remote 'root' access is negotiable.
-> https://lists.fedoraproject.org/pipermail/devel/2015-January/206224.html
So 'PermitRootLogin=without-password' is good too.
> You can accomplish disabling password based remote root logins by
> disabling password based remote root logins:
>
> PermitRootLogin without-password
>
> This matches exactly what the feature is supposed to protect against -
> bruce forced password attacks against root. I have not heard anyone
> in this thread yet saying this is unacceptable, except for your vague
> claim of 'it would lead to people using same mechanism for other
> accounts too' (which I interpret as good, not bad)
He..he..yes, even I meant it as an added advantage. As said before,
'PermitRootLogin=without-passoword' is fine for me too. :)
So, if everybody agrees with 'PermitRootLogin=without-password' as the _default_
sshd(8) configuration, maybe we could discuss about other workflow issues,
that might crop up as result.
---
Regards
-Prasad
http://feedmug.com
More information about the devel
mailing list