[Bug 2164] New: PermitRootLogin=without-password as default
bugzilla-daemon at natsu.mindrot.org
bugzilla-daemon at natsu.mindrot.org
Thu Oct 24 10:40:16 EST 2013
https://bugzilla.mindrot.org/show_bug.cgi?id=2164
Bug ID: 2164
Summary: PermitRootLogin=without-password as default
Product: Portable OpenSSH
Version: 6.2p1
Hardware: Other
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: phil at hands.com
The current default of PermitRootLogin=yes encourages packagers
(specifically, to my knowledge, the Debian Maintainers) to ship
packages that default to PermitRootLogin=yes.
I would like to suggest that either the default be changed to
without-password to encourage packagers downstream to do likewise.
Alternatively, a recomendation in the README saying that packagers
should not ship packages that default to PermitRootLogin=yes, but
should rather default future installs to without-password, and that
where practical they should try to ensure that upgrades (at least) warn
people that they are allowing root password guessing attacks, when that
is the case.
Of course, there is a problem with simply changing this default for
upgrades, becuase some people will be logged in via a root
password-authenticated login to do the upgrade, and may lose access to
the system if the default were changed on them without warning.
This idea is apparently uncontroversial, if one judges from the
response here:
http://lists.mindrot.org/pipermail/openssh-unix-dev/2013-October/031689.html
Might I suggest that if there are objections after all, that they
should probably be explored in that thread, rather than clogging up the
bug tracking system.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list