Chris Adams wrote:
Once upon a time, Matthew Woehlke <mw_triad@xxxxxxxxxxx> said:
(please read my .sig, thanks!)
I always thought it was odd that some things (e.g. telnet) block root
logins but others (e.g. ssh) don't. I can telnet in and then su and the
password is just as much in the clear as it would have been with
straight root-login-telnet. Either all should allow or all should block
(I personally block), except for directly attached consoles (so root can
get in when all else is broken).
True, but then, IMO telnet should just be disabled, period :-).
Maybe sshd could be configured as "PermitRootLogin without-password",
which would require someone to configure keys (but not reconfigure sshd)
before root ssh could be used.
What's wrong with simply blocking root login unless root has a password?
(Or does this allow login with keys *or* a real password, which would be
fine?)
- block logins to accounts with no password
This is different from passphrase-less keys, right? If so I'd definitely
vote for this. It doesn't need to be exclusive with disabling root
login, though.
Yes. I'm pretty sure there is a difference between "account with no
password" and "account with empty-string password", and the sshd option
"PermitEmptyPasswords" (which defaults to no) works as you describe.
Ok. Eh, so I'm confused, an account with "no" password just cannot be
logged into at all, I thought? (Except via methods that wouldn't use
password authentication, e.g. key-based authentication as mentioned
above, 'su' as root...) I wouldn't expect an ssh setting for that, I'd
expect it to simply be denied :-).
--
Matthew
Please do not quote my e-mail address unobfuscated in message bodies.
--
"You know what Microsoft's problem really is? They've lost the ability
to feel ashamed." -- Pamela Jones (Groklaw)
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
