Announce: OpenSSH 6.9 released

Anthony R Fletcher arif at mail.nih.gov
Wed Jul 1 22:19:55 AEST 2015


> > Future Deprecation Notice
> > =========================
> > 
> > The 7.0 release of OpenSSH, due for release in late July, will
> > deprecate several features, some of which may affect compatibility
> > or existing configurations. The intended changes are as follows:
> > 
> >  * The default for the sshd_config(5) PermitRootLogin option will
> >    change from "yes" to "no".
> Uh, wouldn't "without-password" be a better alternative than "no"?
> 
> Getting the *first* authorized key on would still be "hard" (as in
> "ssh user at ...", "su"|"sudo", "mkdir -m 0700 .ssh", "cat > .ssh/auth.."),
> but at least *further* keys could be done via "ssh-copy-id".
> 
> 
> I don't have any statistics handy, but I believe that public-key
> root authentication is widely used.
> (And sometimes needed - especially when something goes wrong,
> needing to authenticate as a normal user is one more thing that
> can go wrong - think NIS or LDAP failures, etc.)
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

I would second this plea. 

With a default of "without-password" you get all the advantages for the
default out-of-the-box build but authorized keys keys can still be
provisioned without a config change. With no installed keys then it is
effectively the same as "no".

		Anthony

-- 
Anthony R Fletcher        
  Room 2033, Building 12A,        http://dcb.cit.nih.gov/~arif
  National Institutes of Health,  arif at mail.nih.gov
  12A South Drive, Bethesda,      Phone: (+1) 301 402 1741.
  MD 20892-5624, USA.


More information about the openssh-unix-dev mailing list