Re: Announce: OpenSSH 6.9 released

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Matthew Vernon <matthew@xxxxxxxxxx> writes:

> Philipp Marek <philipp.marek@xxxxxxxxxx> writes:
>
>> > Future Deprecation Notice
>> > =========================
>> > 
>> > The 7.0 release of OpenSSH, due for release in late July, will
>> > deprecate several features, some of which may affect compatibility
>> > or existing configurations. The intended changes are as follows:
>> > 
>> >  * The default for the sshd_config(5) PermitRootLogin option will
>> >    change from "yes" to "no".
>> Uh, wouldn't "without-password" be a better alternative than "no"?
>
> I agree (quite strongly) - it's not like an admin is going to
> accidentally set up an authorized_keys file for root. PermitRootLogin
> without-password seems the correct default - it stops password-attacks
> on root and makes it easy for admins to set up key-based access.

Nice to see that you've (finally) seen the light ;-)

For the reasoning behind the selection of "no" over "without-password"
see Damien's comments here:

  https://bugzilla.mindrot.org/show_bug.cgi?id=2164#c3

I think he's probably right from the point of view of upstream, but that
distros should ship with a default config that enables without-password.

To encourage that, I'd think that the default config should contain
the 'without-password' setting, even if the binary defaults to 'no'.

A possibly better option (also mentioned in the bug) would be when
'without-password' is set, to look to see if there are any keys that
might be used for root logins at start-up, and if none are available
then run as though 'no' had been set.  The only downside I can think of
with that being that you'd then need a SIGHUP to have the running daemon
notice when you add the first authorised key for root.

Cheers, Phil.
-- 
|)|  Philip Hands  [+44 (0)20 8530 9560]  HANDS.COM Ltd.
|-|  http://www.hands.com/    http://ftp.uk.debian.org/
|(|  Hugo-Klemm-Strasse 34,   21075 Hamburg,    GERMANY

Attachment: signature.asc
Description: PGP signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux