Announce: OpenSSH 6.9 released
Philip Hands
phil at hands.com
Thu Jul 23 00:53:45 AEST 2015
Matthew Vernon <matthew at debian.org> writes:
> Philipp Marek <philipp.marek at linbit.com> writes:
>
>> > Future Deprecation Notice
>> > =========================
>> >
>> > The 7.0 release of OpenSSH, due for release in late July, will
>> > deprecate several features, some of which may affect compatibility
>> > or existing configurations. The intended changes are as follows:
>> >
>> > * The default for the sshd_config(5) PermitRootLogin option will
>> > change from "yes" to "no".
>> Uh, wouldn't "without-password" be a better alternative than "no"?
>
> I agree (quite strongly) - it's not like an admin is going to
> accidentally set up an authorized_keys file for root. PermitRootLogin
> without-password seems the correct default - it stops password-attacks
> on root and makes it easy for admins to set up key-based access.
Nice to see that you've (finally) seen the light ;-)
For the reasoning behind the selection of "no" over "without-password"
see Damien's comments here:
https://bugzilla.mindrot.org/show_bug.cgi?id=2164#c3
I think he's probably right from the point of view of upstream, but that
distros should ship with a default config that enables without-password.
To encourage that, I'd think that the default config should contain
the 'without-password' setting, even if the binary defaults to 'no'.
A possibly better option (also mentioned in the bug) would be when
'without-password' is set, to look to see if there are any keys that
might be used for root logins at start-up, and if none are available
then run as though 'no' had been set. The only downside I can think of
with that being that you'd then need a SIGHUP to have the running daemon
notice when you add the first authorised key for root.
Cheers, Phil.
--
|)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd.
|-| http://www.hands.com/ http://ftp.uk.debian.org/
|(| Hugo-Klemm-Strasse 34, 21075 Hamburg, GERMANY
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150722/4f41fb1f/attachment.bin>
More information about the openssh-unix-dev
mailing list