On Thu, 2005-01-06 at 15:40 -0500, David Hollis wrote: > On Thu, 2005-01-06 at 21:04 +0100, Alexander Dalloz wrote: > > > > > No, that would be silly. Reverting a security improvement just because > > users do not RTFM? > > > > As commented too in the bugzilla entry the change is made long ago in > > the upstream OpenSSH. See the FAQ > > > > http://www.openssh.org/faq.html#3.12 > > http://www.openssh.org/faq.html#3.123 > > > > > Pádraig Brady - http://www.pixelbeat.org > > > > Use OpenSSH properly and as documented and all is well. > > > > I would like to see PermitRootLogin=no in the sshd_config file by > default. If I'm not mistaken, that is the default for openssh out of > the box, but the installed config (indicates anyway) that > PermitRootLogin=yes. With things like the SSH password guessing worm > running around, not allowing bad things to get in just because someones > root password is weak is not a good thing. Unfortunately this completely breaks remote installs (e.g. via VNC) because you can install the machine but cannot log into it after installation because you don't have a normal user to start with (that is created in firstboot which didn't work over say serial console last I checked). IMO it'd be better to do some quality checks on the password assigned to root during the installation and if it fails some dialog similar to the one you get when you disable the firewall (which let's you proceed anyway after a warning). Perhaps there could be a switch "Allow remote root logins over SSH" in the same dialog where the root password is specified. Nils -- Nils Philippsen / Red Hat / nphilipp@xxxxxxxxxx "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -- B. Franklin, 1759 PGP fingerprint: C4A8 9474 5C4C ADE3 2B8F 656D 47D8 9B65 6951 3011