> > Future Deprecation Notice > > ========================= > > > > The 7.0 release of OpenSSH, due for release in late July, will > > deprecate several features, some of which may affect compatibility > > or existing configurations. The intended changes are as follows: > > > > * The default for the sshd_config(5) PermitRootLogin option will > > change from "yes" to "no". > Uh, wouldn't "without-password" be a better alternative than "no"? > > Getting the *first* authorized key on would still be "hard" (as in > "ssh user@...", "su"|"sudo", "mkdir -m 0700 .ssh", "cat > .ssh/auth.."), > but at least *further* keys could be done via "ssh-copy-id". > > > I don't have any statistics handy, but I believe that public-key > root authentication is widely used. > (And sometimes needed - especially when something goes wrong, > needing to authenticate as a normal user is one more thing that > can go wrong - think NIS or LDAP failures, etc.) > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev I would second this plea. With a default of "without-password" you get all the advantages for the default out-of-the-box build but authorized keys keys can still be provisioned without a config change. With no installed keys then it is effectively the same as "no". Anthony -- Anthony R Fletcher Room 2033, Building 12A, http://dcb.cit.nih.gov/~arif National Institutes of Health, arif@xxxxxxxxxxxx 12A South Drive, Bethesda, Phone: (+1) 301 402 1741. MD 20892-5624, USA. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev