Re: ssh X forwarding change in FC3

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2005-01-06 at 15:40 -0500, David Hollis wrote:
> On Thu, 2005-01-06 at 21:04 +0100, Alexander Dalloz wrote:
> 
> > 
> > No, that would be silly. Reverting a security improvement just because
> > users do not RTFM?
> > 
> > As commented too in the bugzilla entry the change is made long ago in
> > the upstream OpenSSH. See the FAQ
> > 
> > http://www.openssh.org/faq.html#3.12
> > http://www.openssh.org/faq.html#3.123
> > 
> > > Pádraig Brady - http://www.pixelbeat.org
> > 
> > Use OpenSSH properly and as documented and all is well.
> > 
> 
> I would like to see PermitRootLogin=no in the sshd_config file by
> default.  If I'm not mistaken, that is the default for openssh out of
> the box, but the installed config (indicates anyway) that
> PermitRootLogin=yes.  With things like the SSH password guessing worm
> running around, not allowing bad things to get in just because someones
> root password is weak is not a good thing.

Unfortunately this completely breaks remote installs (e.g. via VNC)
because you can install the machine but cannot log into it after
installation because you don't have a normal user to start with (that is
created in firstboot which didn't work over say serial console last I
checked).

IMO it'd be better to do some quality checks on the password assigned to
root during the installation and if it fails some dialog similar to the
one you get when you disable the firewall (which let's you proceed
anyway after a warning). Perhaps there could be a switch "Allow remote
root logins over SSH" in the same dialog where the root password is
specified.

Nils
-- 
     Nils Philippsen    /    Red Hat    /    nphilipp@xxxxxxxxxx
"They that can give up essential liberty to obtain a little temporary
 safety deserve neither liberty nor safety."     -- B. Franklin, 1759
 PGP fingerprint:  C4A8 9474 5C4C ADE3 2B8F  656D 47D8 9B65 6951 3011


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux