[Bug 2164] PermitRootLogin=without-password as default

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Apr 28 22:17:24 AEST 2015


https://bugzilla.mindrot.org/show_bug.cgi?id=2164

--- Comment #6 from Philip Hands <phil at hands.com> ---
Fair enough.

I guess one would put without-password in the default config file.

The startup script could then check for keys allowing root logins, and
if absent, it could check that the config file still contained
without-password, and if so override that to no on the command line by
adding:

  -o PermitRootLogin=no

That, and a comment explaining what's going on in the distro's shipped
config file, should do the trick.

Would it be worth adding such a suggestion to the release notes when
explaining the intent behind the change?

Of course the script doing the checking for keys should perhaps look
out for AuthorizedKeysCommand being set too, and there may be other
wrinkles I've not thought of -- is there a way of getting sshd to spit
out the list of keys it would check for root?

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list