[openssh-unix-dev] Functionality bug (possibly) in openssh on AIX 4.3 (fwd)
David Terrell
dbt at meat.net
Fri Apr 27 10:59:36 EST 2001
On Thu, Apr 26, 2001 at 06:40:31PM -0500, mouring at etoh.eviladmin.org wrote:
> On Thu, 26 Apr 2001, David Bronder wrote:
>
> > I haven't tried the patch (still fighting another possibly-AIX problem
> > that I haven't seen other reports of yet). But I'd recommend against
> > this patch, at least as a default.
> >
> > What he is proposing is for OpenSSH to disregard a system-wide policy
> > decision -- that root should not be permitted to directly log in from
> > the network. There are more reasons to disable remote logins as root
> > (vs. normal login then su) than just to prevent plaintext use of the
> > root password; for example, audit trails for a group of admins or site
> > security policies. This patch would violate the expected behavior of
> > the system.
> >
> > A good compromise would probably be to make it a configure-time feature
> > that also required a run-time config option to enable it (defaulting to
> > the current and expected behavior). That way, it's only active if the
> > admin consciously chooses it.
>
> Which is why I'm not really too eager to apply. Ignoring system policies
> is not really the best thing.
Why not, PermitRootLogin already ignores 'insecure' markings in
/etc/ttys on openbsd, and similar features in other operating systems.
--
David Terrell | "I went into Barnes and Noble to look for a
Prime Minister, Nebcorp | book on A.D.D., but I got bored and left."
dbt at meat.net | - Benjy Feen
http://wwn.nebcorp.com/ |
More information about the openssh-unix-dev
mailing list