On Tue, Apr 05, 2005 at 10:36:30AM +0100, Anthony Edwards wrote:
On Tue, Apr 05, 2005 at 04:56:38AM -0400, Allen wrote:
I did a follow up not long ago on setting up an FTP / SSH server on SUSE and had it kind of go together with the first one.
One thing I was slightly surprised to discover recently is that root shell SSH login is now enabled by default (in SuSE 9.2 at least) and has to be manually disabled, whereas in previous versions (I am not sure up to which version number) it was previously disabled by default.
Heh, at least it isn't telnet ;) Being serious for a second though, SSH is fairly secure as a service in general and is of great help for people like me. And you still have to enable the Firewall to allow SSH in the first place so I don't think it really adds that much of a helping hand to people trying to break in so even though it's there, it's not going to accept connections to the machine on that port, as The SUSE Firewall is enabled by default as well, which I thought was a great touch and the configuration of it can be done before installation has even finished, and so can updates for security patches, which theoretically would have the most secured OS in the World award going to SUSE. Security exploits are half of a battle at times and if you can patch them before you're even booted and the firewall is up and running already too, you have a very good chance of being attack free. Open BSD has nothing on SUSE, they do Code Audits too ;)
Presumably this is due to a change in policy by the OpenSSH developers? One thing I have always liked about SuSE's security policy (and that of most open source software developers in general) is that an installed system should be relatively secure by default, and that the user should need to gain at least a degree of technical knowledge in order to relax that policy.
The change in root shell SSH login access default policy mentioned above is not in line with that philosophy, it seems to me.
Adding to this, it could maybe be added to the security chapter of the SUSE admin guide on editing /etc/securetty and only leaving /dev/tty1 in there, that would prevent ANY log ins except from the keyboard attached to the machine, and even X can't have root log in that way. Hmm, that could be a cool idea there. I do get what you're saying though.
-- Anthony Edwards anthony.edwards@uk.easynet.net
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here