PermitRootLogin=without-password as default

Philip Hands phil at hands.com
Sun Oct 6 12:24:49 EST 2013 

Hi,

Ever since 'without-password' became an option, I've thought it would
make a better default (and I actually used to patch it that way when I
was the Debian Maintainer. My successors think that it's more important
to minimise the size of the patch, which is also a reasonable point).

The thing that prompted me to finally mention this here, is this story:

  http://bsdly.blogspot.ca/2013/10/the-hail-mary-cloud-and-lessons-learned.html

and the unsurprising fact that the most popular account to guess is
'root', as seen here:

  http://home.nuug.no/~peter/hailmary2013/2008nov19/slowbrutes.data/massage/hail-mary-users-by-frequency.txt

I imagine that this issue seems a little irrelevant on this list, as
we're all perfectly capable of setting whatever value we want in the
sshd_config, but that's not the point.

The point is that the default set here is then inherited by the
maintainers of the packages for various OSs, and then offered to users as
the default value.

Some of those users are not very competent, and will have chosen
worthless passwords when setting up the system, and are not necessarily
aware of quite what they are doing when installing sshd.

For example, I can imagine someone being told that they can improve the
security of their server if they switch from using ftp to sftp for
uploads and not realising that the useless root password is going to be
placed in the firing line for these attacks if they follow that advice.

I don't know if the best route is to actually change the default in the
binary, or perhaps to supply the default sshd_config with the setting in
place, or even just to strongly recommend that distributions ensure that
'without-password' is the setting that new installs get by default
unless the user requests otherwise.

It is of course important that any change avoids the risk of locking
people out of systems when they upgrade them via an ssh connection.

It probably seems to many here that this is a problem that the
distributions need to handle, and I'd mostly agree with that, but since
the distributions look here for guidance I's suggest that any change
needs to come from the top.

Thoughts?

Cheers, Phil.

P.S. This could have been a bug report, and I'll happily submit a bug if
there's a consensus about this, but I know that people have held
differing views about this, and I didn't want to clog the bug tracker
with a massive argument -- I hope we can avoid that on the mailing list
too :-)
-- 
|)|  Philip Hands [+44 (0)20 8530 9560]    http://www.hands.com/
|-|  HANDS.COM Ltd.                    http://www.uk.debian.org/
|(|  10 Onslow Gardens, South Woodford, London  E18 1NE  ENGLAND
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20131006/3eaa0ed7/attachment.bin>

More information about the openssh-unix-dev mailing list