On Sun, Nov 23, 2014 at 7:44 PM, Dennis Gilmore <dennis@xxxxxxxx> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On Fri, 21 Nov 2014 07:11:27 +0000 (UTC) > P J P <pj.pandit@xxxxxxxxxxx> wrote: > >> Hello, >> >> Sshd(8) daemon by default allows remote users to login as root. >> >> 1. Is that really necessary? >> 2. Lot of users use their systems as root, without even creating a >> non-root user. Such practices need to be discouraged, not allowing >> remote root login could be useful in that. >> >> Does it make sense to disable remote root login by default? If so, do >> we need to just report it to the maintainer or it would be treated as >> a feature? > > I think its a bad idea, but I say so as a user that when installing a > new system, especially a remove vm will log in as root via ssh and > join the machine post install to my ipa domain. > > Dennis This is an old, old, subject and debate in the SSH community. Every time people try to change defaults, it can and *wll* break existing practices, even if the defaults are a security problem and should have been changed a decade ago. Personally? I'd *love* to see the default allow root direct login directly only from ""localhost". That means a 'Match Host' change to re-enable PermitRootLogin only if the connection is from localhost, which is a bit more sophisticated than just turning PermitRootlLogin on or off. Plus, I don't know if you've looked lately, but some people *really* screw up "localhost" settings in /etc/hosts as they try to get clever with shoving the FQDN into the loopback IP addresses, and hilarity ensues. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
