Re: Abotu setting 'PermitRootLogin=no' in sshd_config

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

  Hello Tomas,

> On Thursday, 27 November 2014 3:05 PM, Tomas Mraz wrote:
>> ----- Original Message -----
>> On Wed, Nov 26, 2014 at 11:48 AM, Scott Schmit   wrote:
>>
>> Look, this is a basic system configuration. It's not "Cripple Mr.
>> Onion". Pick *one* setting, and let people know from that whether
>> they'll need to manipulate their local environments for their
>> particular subtle needs.
>> 
> 
> Exactly! The more I think about this Change the more I am having an
> opinion that we should reject it altogether. In fact this change does not
> really bring any real security improvement because for the Workstation
> the sshd is already disabled completely by default and for the other products
> the people who are installing them can be expected to know what they are doing.

  That's not a prudent expectation.

> Also disabling root access does not improve security against targeted attacks
> because in such cases the user name can be quite easily inferred. So basically
> this feature is just a 'marketing' improvement and not worth the hassle.


  I disagree.

Just because it is easy to infer non-root user names does not mean we tell people it is 'root'. Secondly, it might be easy for you to infer such names, not for everyone. The increased difficulty level that is added by not allowing remote root login could help to thwart lot of real & automated attacks.[1] Thirdly, it need not have to be entirely about security, it's also about picking the right default configuration. Same as disabling sshd(8) in Workstation by default. As Scott wrote above

   ...Pick *one* setting, and let people know from that...

This feature, like any other, requires users to tweak their current practices to suite the new defaults. That is no reason to not do it; Because in the longer run it is only beneficial.

[1] https://lists.fedoraproject.org/pipermail/security/2014-November/002031.html
---
Regards
   -Prasad
http://feedmug.com
-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux