Mailinglist Archive: opensuse-factory (626 mails)
| < Previous | Next > |
Re: [opensuse-factory] request for comments: disable ssh daemon by default
- From: "Ciro Iriarte" <cyruspy@xxxxxxxxx>
- Date: Sun, 30 Mar 2008 22:24:00 -0400
- Message-id: <a998a0140803301924h1952597biddd44e22ea322825@xxxxxxxxxxxxxx>
2008/3/30, Marcus Meissner <meissner@xxxxxxx>:
Cool
I use a private key, but I second this..
That would be annoying, I have some servers were I don't have regular
users or LDAP authentication (not all of them need to in our
datacenter) and with this disabled I still would need to pull a serial
console from somewhere to change this and have access to the headless
server even though the sshd is up and running after installation
(remote installation case)
Probably...
Regards,
Ciro
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory+help@xxxxxxxxxxxx
On Sun, Mar 30, 2008 at 03:48:21PM +0200, Hans Witvliet wrote:
> Personnally i keep sshd running, but otoh, for newby-users, like Marcus
> suggested, have installed, but turned off, (other daemons like telnet or
> ftp are not running by default either)
>
>
> Another suggestion, for default sshd config
> 1) only enable ssh2 protocol, now both ssh1 and ssh2 are enabled.
> Protocol Specifies the protocol versions sshd supports.
> ==> The default is "2,1". <==
This is already done for 10.3 and newer ... They only have 2 as default.
Cool
> 2) disable PasswordAuthentication
> Specifies whether password authentication is allowed.
> ==> The default is "yes". <==
> If you need remote access to a system, take the time to distribute a
> lengthy asymetric key (longer than the default), protected by long
> enough pass-phrase
This is not really userfriendly, so I do not think we will do this.
I use a private key, but I second this..
> 3) disable root access. PermitRootLogin
> Specifies whether root can log in using ssh
> ==> The default is "yes". <== Horrible!!
This would be an idea.
That would be annoying, I have some servers were I don't have regular
users or LDAP authentication (not all of them need to in our
datacenter) and with this disabled I still would need to pull a serial
console from somewhere to change this and have access to the headless
server even though the sshd is up and running after installation
(remote installation case)
> 4) restrict access with "AllowUsers"
> This keyword can be followed by a list of user name patterns, separated
> by spaces. If specified, login is allowed only for user names that
> match one of the patterns.
> ==> By default, login is allowed for all users. <==
Not userfriendly either.
Probably...
> Suggestion 1 & 3 should have little or no impact.
> 2) would only cause some seconds extra work for admin's...
I will bring up the "PermitRootLogin: false" idea.
Ciao, Marcus
Regards,
Ciro
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory+help@xxxxxxxxxxxx
| < Previous | Next > |