2008/3/30, Marcus Meissner <meissner@suse.de>:
On Sun, Mar 30, 2008 at 03:48:21PM +0200, Hans Witvliet wrote:
Personnally i keep sshd running, but otoh, for newby-users, like Marcus suggested, have installed, but turned off, (other daemons like telnet or ftp are not running by default either)
Another suggestion, for default sshd config
- only enable ssh2 protocol, now both ssh1 and ssh2 are enabled. Protocol Specifies the protocol versions sshd supports. ==> The default is "2,1". <==
This is already done for 10.3 and newer ... They only have 2 as default.
Cool
- disable PasswordAuthentication Specifies whether password authentication is allowed. ==> The default is "yes". <==
If you need remote access to a system, take the time to distribute a lengthy asymetric key (longer than the default), protected by long enough pass-phrase
This is not really userfriendly, so I do not think we will do this.
I use a private key, but I second this..
- disable root access. PermitRootLogin Specifies whether root can log in using ssh ==> The default is "yes". <== Horrible!!
This would be an idea.
That would be annoying, I have some servers were I don't have regular users or LDAP authentication (not all of them need to in our datacenter) and with this disabled I still would need to pull a serial console from somewhere to change this and have access to the headless server even though the sshd is up and running after installation (remote installation case)
- restrict access with "AllowUsers" This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for user names that match one of the patterns. ==> By default, login is allowed for all users. <==
Not userfriendly either.
Probably...
Suggestion 1 & 3 should have little or no impact. 2) would only cause some seconds extra work for admin's...
I will bring up the "PermitRootLogin: false" idea.
Ciao, Marcus
Regards, Ciro --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org