Hello Paul, > On Monday, 12 January 2015 11:18 PM, Paul Wouters wrote: > What if I told you Neo, that there are no strong passwords? > Passwords are weak. Some are less weak than others. I'd rather > teach people to use ssh keys for remote access and only restrict > passwords to console/physical access. That would be a good > security lesson to teach. Sure, I'm all for it. >> Thirdly, as said in another thread, if we resort to using keys based > authentication for 'root' account, it would lead to people using same > mechanism for other accounts too. > > Excellent! even less password guessing possible! Exactly! > And again, ignoring the collateral damage. As people suggested, keep ssh > key based root logins allowed. Sure, that's absolutely fine with me. It seems maybe you missed my earlier email wherein I said, how we restrict remote 'root' access is negotiable. -> https://lists.fedoraproject.org/pipermail/devel/2015-January/206224.html So 'PermitRootLogin=without-password' is good too. > You can accomplish disabling password based remote root logins by > disabling password based remote root logins: > > PermitRootLogin without-password > > This matches exactly what the feature is supposed to protect against - > bruce forced password attacks against root. I have not heard anyone > in this thread yet saying this is unacceptable, except for your vague > claim of 'it would lead to people using same mechanism for other > accounts too' (which I interpret as good, not bad) He..he..yes, even I meant it as an added advantage. As said before, 'PermitRootLogin=without-passoword' is fine for me too. :) So, if everybody agrees with 'PermitRootLogin=without-password' as the _default_ sshd(8) configuration, maybe we could discuss about other workflow issues, that might crop up as result. --- Regards -Prasad http://feedmug.com -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
