sshd: ssh_config default setting - PermitRootLogin yes

Jari Aalto jari.aalto at cante.net
Thu Apr 9 03:16:31 EST 2009


[Please keep CC, I'm not in this list]

The default settings for PermitRootLogin appears to be 'yes'.

Increased number of attacks target the ssh port 22 and root logins
directly[1] throught the Internet.

Would it be possible to tighten the initial installation by defaulting
PermitRootLogin to 'no' (or even in *.c) in forthcoming releases and
have administrators relax it if they see fit.

The configuration file could have an example to encourage to use more
strict security settings. Something like:

    PermitRootLogin no

    # To enable root logins inside trusted network, like local LAN
    # uncomment and adjust following. The 'without-password' allows only
    # private key authentications, whereas 'yes' would allow password
    # authentication.

    # Match Address 192.168.1.0/24
    #   PermitRootLogin without-password

Jari

[1] Admins warned of brute-force SSH attacks
    http://www.securityfocus.com/news/11518



More information about the openssh-unix-dev mailing list