Matthew Vernon <matthew@xxxxxxxxxx> writes: > Philipp Marek <philipp.marek@xxxxxxxxxx> writes: > >> > Future Deprecation Notice >> > ========================= >> > >> > The 7.0 release of OpenSSH, due for release in late July, will >> > deprecate several features, some of which may affect compatibility >> > or existing configurations. The intended changes are as follows: >> > >> > * The default for the sshd_config(5) PermitRootLogin option will >> > change from "yes" to "no". >> Uh, wouldn't "without-password" be a better alternative than "no"? > > I agree (quite strongly) - it's not like an admin is going to > accidentally set up an authorized_keys file for root. PermitRootLogin > without-password seems the correct default - it stops password-attacks > on root and makes it easy for admins to set up key-based access. Nice to see that you've (finally) seen the light ;-) For the reasoning behind the selection of "no" over "without-password" see Damien's comments here: https://bugzilla.mindrot.org/show_bug.cgi?id=2164#c3 I think he's probably right from the point of view of upstream, but that distros should ship with a default config that enables without-password. To encourage that, I'd think that the default config should contain the 'without-password' setting, even if the binary defaults to 'no'. A possibly better option (also mentioned in the bug) would be when 'without-password' is set, to look to see if there are any keys that might be used for root logins at start-up, and if none are available then run as though 'no' had been set. The only downside I can think of with that being that you'd then need a SIGHUP to have the running daemon notice when you add the first authorised key for root. Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd. |-| http://www.hands.com/ http://ftp.uk.debian.org/ |(| Hugo-Klemm-Strasse 34, 21075 Hamburg, GERMANY
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev