PermitRootLogin=without-password as default

Mon Oct 7 05:02:02 EST 2013

On 10/5/2013 8:24 PM, Philip Hands wrote:
> Hi,
> 
> Ever since 'without-password' became an option, I've thought it would
> make a better default (and I actually used to patch it that way when I
> was the Debian Maintainer. My successors think that it's more important
> to minimise the size of the patch, which is also a reasonable point).
> 
> The thing that prompted me to finally mention this here, is this story:
> 
>   http://bsdly.blogspot.ca/2013/10/the-hail-mary-cloud-and-lessons-learned.html
> 
> and the unsurprising fact that the most popular account to guess is
> 'root', as seen here:
> 
>   http://home.nuug.no/~peter/hailmary2013/2008nov19/slowbrutes.data/massage/hail-mary-users-by-frequency.txt
> 
> I imagine that this issue seems a little irrelevant on this list, as
> we're all perfectly capable of setting whatever value we want in the
> sshd_config, but that's not the point.
> 
> The point is that the default set here is then inherited by the
> maintainers of the packages for various OSs, and then offered to users as
> the default value.
> 
> Some of those users are not very competent, and will have chosen
> worthless passwords when setting up the system, and are not necessarily
> aware of quite what they are doing when installing sshd.
> 
> For example, I can imagine someone being told that they can improve the
> security of their server if they switch from using ftp to sftp for
> uploads and not realising that the useless root password is going to be
> placed in the firing line for these attacks if they follow that advice.
> 
> I don't know if the best route is to actually change the default in the
> binary, or perhaps to supply the default sshd_config with the setting in
> place, or even just to strongly recommend that distributions ensure that
> 'without-password' is the setting that new installs get by default
> unless the user requests otherwise.
> 
> It is of course important that any change avoids the risk of locking
> people out of systems when they upgrade them via an ssh connection.
> 
> It probably seems to many here that this is a problem that the
> distributions need to handle, and I'd mostly agree with that, but since
> the distributions look here for guidance I's suggest that any change
> needs to come from the top.
> 
> Thoughts?

PermitRootLogin Yes is very much not secure by default. I run my systems
as 'without-password' as well. That or 'No' would be a much more sane
default IMHO.

> 
> Cheers, Phil.
> 
> P.S. This could have been a bug report, and I'll happily submit a bug if
> there's a consensus about this, but I know that people have held
> differing views about this, and I didn't want to clog the bug tracker
> with a massive argument -- I hope we can avoid that on the mailing list
> too :-)
> 

-- 
Regards,
Bryan Drewery
bdrewery at freenode/EFNet