On Sun, Mar 30, 2008 at 03:48:21PM +0200, Hans Witvliet wrote:
Personnally i keep sshd running, but otoh, for newby-users, like Marcus suggested, have installed, but turned off, (other daemons like telnet or ftp are not running by default either)
Another suggestion, for default sshd config 1) only enable ssh2 protocol, now both ssh1 and ssh2 are enabled. Protocol Specifies the protocol versions sshd supports. ==> The default is “2,1”. <==
This is already done for 10.3 and newer ... They only have 2 as default.
2) disable PasswordAuthentication Specifies whether password authentication is allowed. ==> The default is “yes”. <==
If you need remote access to a system, take the time to distribute a lengthy asymetric key (longer than the default), protected by long enough pass-phrase
This is not really userfriendly, so I do not think we will do this.
3) disable root access. PermitRootLogin Specifies whether root can log in using ssh ==> The default is “yes”. <== Horrible!!
This would be an idea.
4) restrict access with "AllowUsers" This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for user names that match one of the patterns. ==> By default, login is allowed for all users. <==
Not userfriendly either.
Suggestion 1 & 3 should have little or no impact. 2) would only cause some seconds extra work for admin's...
I will bring up the "PermitRootLogin: false" idea. Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org