Andrew Smith wroteWe have ssh set up to only allow public/private key access. Root can log in from the console, but not from anywhere else (telnet is disabled). In order to break into one of our machines you need two things: the private key of someone who has access and the passphrase for that private key. Well, good look getting access to the private key -- there's one on this laptop I'm typing on and one on my machine at work (in a locked building). I'd tell you my passphrase, but at 53 characters you'd find it rather boring.
Totally agree ... but more to the point ... why disable it? The reason to disable root login in telnet is obvious. If you don't trust ssh then don't install it :-)
The thinking is, you have to know a user's password and the root password in
order to break into the system. one password alone, won't do it for you.
I have access to a machine in Germany where I log in with ssh and then do an su to root. The extra step adds no significant extra security -- although I'd be happy be wrong and for someone to explain why it does.
jch
