[Bug 234275] New: set PermitRootLogin in sshd_config to no by default
https://bugzilla.novell.com/show_bug.cgi?id=234275 Summary: set PermitRootLogin in sshd_config to no by default Product: openSUSE 10.2 Version: Final Platform: i686 OS/Version: Other Status: NEW Severity: Enhancement Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: danielstefanmader@web.de QAContact: qa@suse.de Hello, I am sure this has been discussed already a couple of times (and I already got flamed on #suse for this suggestion like hell) but I feel uncomfortable with the default settings of sshd_config. Admittedly, port 22 is closed by default so that there is no security problem for total newbies. But whoever chooses to open the port has has a higher risk with the current default than with a forbidden root access. On every system that I administer, I have to manually edit /etc/ssh/sshd_config since there is a simple way to enable sshd with yast but no one-click option to adjust this, too. As far as I heard "PermitRootLogin no" is default on Debian systems -- I think it could be set so, too, on openSUSE and the enterprise versions. Currently it is default even on SLES 10... At least the default option should be changed since it is confusing: # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options change a # default value. [...] # Authentication: #LoginGraceTime 2m #PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 This indicates to my understanding that the default should be no, but uncommenting the option just leaves everything as it is... Thank you all very much for your work, Daniel -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=234275 meissner@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |anicka@novell.com AssignedTo|bnc-team- |security-team@suse.de |screening@forge.provo.novell| |.com | ------- Comment #1 from meissner@novell.com 2007-01-12 12:15 MST ------- opinions differ ... lets discuss this internally first :) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=234275 ------- Comment #2 from anicka@novell.com 2007-01-12 13:46 MST ------- OK, I am afraid I will have to oppose this proposal. First of all: If we should take into question an opinion of someone else, I think it should be upstream rather than Debian. PermitRootLogin yes is default option for OpenBSD, as can be seen even from the config file. Second: When someone installs and enables sshd, he probably believes that sshd will work for him out of the box. Disabling root login is much more inconvenient than secure, IMHO - I guess that much more users want to have root login enabled than disabled. And anyway, if we want to have a really secure solution, don't you think we should disable login for everyone by default? :-) Third: Whatever we chose once, we should not change when not necessary - I am sure that this problem is more matter of opinion than a real issue - and when our users are used to default settings we have used for ages, they will be confused if we will change it. That is why I believe we should not change this default. BTW, I consider most important my third argument - I believe we should not bother our users more than is really necessary. Maybe it would be nice to have a yast frontend for sshd_config to make a life with sshd configuration easier, but this is a completely different issue. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=234275 ------- Comment #3 from judas_iscariote@shorewall.net 2007-01-12 18:56 MST ------- I think a question during install.. "want to permit ssh root by deafault [risks caused by problems in chair described here"] Yes/No ( and no selected by default)" plus disabling ssh v1 by default will be a nice option. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=234275 meissner@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX ------- Comment #4 from meissner@novell.com 2007-01-13 06:25 MST ------- ssh v1 is disabled by default now in factory (for 10.3). I think the arguments of Anna are sufficient. In such rollouts it can always be adapted automatically. A user visible config option would be overkill (and overload the installer). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
participants (1)
-
bugzilla_noreply@novell.com