Re: Bug#122188: ssh: ssh should start earlier
On Mon, 15 Sep 2003 17:55, Andreas Metzler wrote:
> >> I think this is basically a good idea. My ideal would be for sshd
> >> start early (as soon as /usr is mounted, before attempting to mount
> >> other filesystems) with a minimal config that allows only root
> >> logins, then restart later with the normal config. This would be a
> >
> > Having sshd allow root logins during the boot process when you don't
> > allow such logins while the machine is fully operational seems like
> > a bad idea.
> >
> > If allowing root logins is not considered to be a security problem
> > then they should be allowed at all times.
>
> [...]
>
> They are.
>
> Debian's "out-of-the-box" ssh config features PermitRootLogin yes,
> therefore Andrew's suggestion boils down to "early ssh allows login
> _only_ for root, restarted ssh allows login for all users, including
> root" instead of "root" vs. "everbody but root" as you read it.
OK. In that case there would be no need to restart sshd with a different
configuration as the regular configuration of sshd will respect /etc/nologin,
which is all the control we need over non-root logins.
Anyway /etc/nologin is not a security issue IMHO, it's just a conveniance to
avoid users calling the admin and asking "why can't I get to my files" when /
home is being fsck'd. So if you allow users to login earlier it's no serious
issue.
Reply to: