Re: OT: Safe to access SSH server from work?

To: debian-user@lists.debian.org
Subject: Re: OT: Safe to access SSH server from work?
From: Celejar <celejar@gmail.com>
Date: Fri, 20 May 2011 13:25:26 -0400
Message-id: <[🔎] 20110520132526.e4e508cb.celejar@gmail.com>
In-reply-to: <[🔎] BANLkTinfjXRzcEiXUFT-GWO_n-jWj1xesg@mail.gmail.com>
References: <[🔎] BANLkTinFavrwh5NcWFcdJCE8+M-ja5=UXw@mail.gmail.com> <[🔎] BANLkTinfjXRzcEiXUFT-GWO_n-jWj1xesg@mail.gmail.com>

On Sat, 14 May 2011 23:15:33 +0900
Joel Rees <joel.rees@gmail.com> wrote:

...

> Disable root login on ssh entirely. (/etc/ssh/sshd_config has that
> enabled in my more-or-less default install. That is, I think, so you
> don't find yourself in a catch-22 when installing remotely. Should be
> in a list of things to do afterboot.)

>From /usr/share/doc/openssh-server/README.Debian:

> PermitRootLogin set to yes
> --------------------------
> 
> This is now the default setting (in line with upstream), and people
> who asked for an automatically-generated configuration file when
> upgrading from potato (or on a new install) will have this setting in
> their /etc/ssh/sshd_config file.
> 
> Should you wish to change this setting, edit /etc/ssh/sshd_config, and
> change:
> PermitRootLogin yes
> to:
> PermitRootLogin no
> 
> Having PermitRootLogin set to yes means that an attacker that knows
> the root password can ssh in directly (without having to go via a user
> account). If you set it to no, then they must compromise a normal user
> account. In the vast majority of cases, this does not give added
> security; remember that any account you su to root from is equivalent
> to root - compromising this account gives an attacker access to root
> easily. If you only ever log in as root from the physical console,
> then you probably want to set this value to no.
> 
> As an aside, PermitRootLogin can also be set to "without-password" or
> "forced-commands-only" - see sshd(8) for more details.
> 
> DO NOT FILE BUG REPORTS SAYING YOU THINK THIS DEFAULT IS INCORRECT!
> 
> The argument above is somewhat condensed; I have had this discussion
> at great length with many people. If you think the default is
> incorrect, and feel strongly enough to want to argue about it, then
> send email to debian-ssh@lists.debian.org. I will close bug reports
> claiming the default is incorrect.

Celejar
-- 
foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator
mailmin.sourceforge.net - remote access via secure (OpenPGP) email
ssuds.sourceforge.net - A Simple Sudoku Solver and Generator

Reply to:

References:
- OT: Safe to access SSH server from work?
  - From: George <pinkisntwell@gmail.com>
- Re: OT: Safe to access SSH server from work?
  - From: Joel Rees <joel.rees@gmail.com>

Prev by Date: Re: diamondcard
Next by Date: Re: viewing deb files in m-c
Previous by thread: Re: OT: Safe to access SSH server from work?
Next by thread: Need help with approx configuration changes for squeeze
Index(es):
- Date
- Thread