Once upon a time, Matthew Woehlke <mw_triad@xxxxxxxxxxxxxxxxxxxxx> said: > Chris Adams wrote: > >- block root logins > > This seems to be the default on some UNIX's (or, at least, it's true for > some of the machines I work with, though it's possible that IT set it > up). I'm indifferent; I might re-enable it (though, since I can su also, > I might not), but I don't mind making this default. I always thought it was odd that some things (e.g. telnet) block root logins but others (e.g. ssh) don't. I can telnet in and then su and the password is just as much in the clear as it would have been with straight root-login-telnet. Either all should allow or all should block (I personally block), except for directly attached consoles (so root can get in when all else is broken). Maybe sshd could be configured as "PermitRootLogin without-password", which would require someone to configure keys (but not reconfigure sshd) before root ssh could be used. > >- block logins to accounts with no password > > This is different from passphrase-less keys, right? If so I'd definitely > vote for this. It doesn't need to be exclusive with disabling root > login, though. Yes. I'm pretty sure there is a difference between "account with no password" and "account with empty-string password", and the sshd option "PermitEmptyPasswords" (which defaults to no) works as you describe. -- Chris Adams <cmadams@xxxxxxxxxx> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
