[openssh-unix-dev] Functionality bug (possibly) in openssh on AIX 4.3 (fwd)
Jason Stone
jason at shalott.net
Fri Apr 27 17:00:25 EST 2001
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> > > Which is why I'm not really too eager to apply. Ignoring system
> > > policies is not really the best thing.
> >
> >Why not, PermitRootLogin already ignores 'insecure' markings in
> >/etc/ttys on openbsd, and similar features in other operating systems.
>
> have to vote against its inclusion; just because PermitRootLogin is
> "broken" (I'm not saying that it is; that is just my opinion) on the
> other platforms, it doesn't mean it should be broken everywhere.
>
> as an aix admin, if I want to turn off root login via the network, I
> really want it turned off.
So then don't enable that option in your config.
My feeling on PermitRootLogin is that it's there so that admins who feel
comfortable with it can override system policy for old stuff like telnet,
but make the descision to trust ssh.
It's real easy - if you want no direct root logins at all, ever, then
leave PermitRootLogin=no. This is the default.
If the default is to be conservative and follow system policy, but the
experienced admin has the ability to override that when he wants/needs,
then what's the problem?
Anyway, this debate seems silly as PermitRootLogin already exists. All
that this patch does is to make the behaviour on AIX consitent with the
behaviour on other platforms. And as and administrator of a heterogenous
network, I can tell you that consistent behaviour is very important.
-Jason
---------------------------
If the Revolution comes to grief, it will be because you and those you
lead have become alarmed at your own brutality. --John Gardner
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg
iD8DBQE66RkMswXMWWtptckRAhtoAKDBm0BNNL5J4KuaytQd6l0JQE9tBgCfbzrQ
TjiTjQY5ydYCvQycPPXZ6RA=
=YOoG
-----END PGP SIGNATURE-----
More information about the openssh-unix-dev
mailing list