Announce: OpenSSH 6.9 released

Philip Hands phil at hands.com
Thu Jul 23 00:53:45 AEST 2015


Matthew Vernon <matthew at debian.org> writes:

> Philipp Marek <philipp.marek at linbit.com> writes:
>
>> > Future Deprecation Notice
>> > =========================
>> > 
>> > The 7.0 release of OpenSSH, due for release in late July, will
>> > deprecate several features, some of which may affect compatibility
>> > or existing configurations. The intended changes are as follows:
>> > 
>> >  * The default for the sshd_config(5) PermitRootLogin option will
>> >    change from "yes" to "no".
>> Uh, wouldn't "without-password" be a better alternative than "no"?
>
> I agree (quite strongly) - it's not like an admin is going to
> accidentally set up an authorized_keys file for root. PermitRootLogin
> without-password seems the correct default - it stops password-attacks
> on root and makes it easy for admins to set up key-based access.

Nice to see that you've (finally) seen the light ;-)

For the reasoning behind the selection of "no" over "without-password"
see Damien's comments here:

  https://bugzilla.mindrot.org/show_bug.cgi?id=2164#c3

I think he's probably right from the point of view of upstream, but that
distros should ship with a default config that enables without-password.

To encourage that, I'd think that the default config should contain
the 'without-password' setting, even if the binary defaults to 'no'.

A possibly better option (also mentioned in the bug) would be when
'without-password' is set, to look to see if there are any keys that
might be used for root logins at start-up, and if none are available
then run as though 'no' had been set.  The only downside I can think of
with that being that you'd then need a SIGHUP to have the running daemon
notice when you add the first authorised key for root.

Cheers, Phil.
-- 
|)|  Philip Hands  [+44 (0)20 8530 9560]  HANDS.COM Ltd.
|-|  http://www.hands.com/    http://ftp.uk.debian.org/
|(|  Hugo-Klemm-Strasse 34,   21075 Hamburg,    GERMANY
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 818 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150722/4f41fb1f/attachment.bin>


More information about the openssh-unix-dev mailing list