Bug#268407: marked as done (ssh: default status of root login)
Your message dated Fri, 27 Aug 2004 16:12:11 +0100
with message-id <20040827151211.GG32179@riva.ucam.org>
and subject line Bug#268407: ssh: default status of root login
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 27 Aug 2004 14:24:33 +0000
>From primoz@posta.owca.info Fri Aug 27 07:24:33 2004
Return-path: <primoz@posta.owca.info>
Received: from (posta.owca.info) [193.95.254.133]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1C0heZ-0005vw-00; Fri, 27 Aug 2004 07:24:33 -0700
Received: by posta.owca.info (Postfix, from userid 1001)
id 9DF29F00AD; Fri, 27 Aug 2004 16:24:13 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Primoz Bratanic <primoz@slo-tech.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ssh: default status of root login
X-Mailer: reportbug 2.63
Date: Fri, 27 Aug 2004 16:24:13 +0200
Message-Id: <[🔎] 20040827142413.9DF29F00AD@posta.owca.info>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Package: ssh
Version: 1:3.8.1p1-4
Severity: wishlist
Tags: security
It would be nice to have permit root login disabled by default or to at
least ask about it.
---------------------------------------
Received: (at 268407-done) by bugs.debian.org; 27 Aug 2004 15:12:14 +0000
>From cjwatson@flatline.org.uk Fri Aug 27 08:12:14 2004
Return-path: <cjwatson@flatline.org.uk>
Received: from chiark.greenend.org.uk [193.201.200.170] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1C0iOj-00022Y-00; Fri, 27 Aug 2004 08:12:13 -0700
Received: from [192.168.124.112] (helo=riva.lab.dotat.at)
by chiark.greenend.org.uk (Debian Exim 3.35 #1) with esmtp
id 1C0iOi-0004cB-00; Fri, 27 Aug 2004 16:12:12 +0100
Received: from cjwatson by riva.lab.dotat.at with local (Exim 3.35 #1 (Debian))
id 1C0iOh-0001dj-00; Fri, 27 Aug 2004 16:12:11 +0100
Date: Fri, 27 Aug 2004 16:12:11 +0100
From: Colin Watson <cjwatson@debian.org>
To: 268407-done@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#268407: ssh: default status of root login
Message-ID: <20040827151211.GG32179@riva.ucam.org>
References: <[🔎] 20040827142413.9DF29F00AD@posta.owca.info>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[🔎] 20040827142413.9DF29F00AD@posta.owca.info>
User-Agent: Mutt/1.3.28i
Delivered-To: 268407-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER,
VALID_BTS_CONTROL autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
X-CrossAssassin-Score: 2
tags 268407 wontfix
thanks
On Fri, Aug 27, 2004 at 04:24:13PM +0200, Primoz Bratanic wrote:
> Package: ssh
> Version: 1:3.8.1p1-4
> Severity: wishlist
> Tags: security
>
>
> It would be nice to have permit root login disabled by default or to at
> least ask about it.
Please see README.Debian:
PermitRootLogin set to yes
--------------------------
This is now the default setting (in line with upstream), and people
who asked for an automatically-generated configuration file when
upgrading from potato (or on a new install) will have this setting in
their /etc/ssh/sshd_config file.
Should you wish to change this setting, edit /etc/ssh/sshd_config, and
change:
PermitRootLogin yes
to:
PermitRootLogin no
Having PermitRootLogin set to yes means that an attacker that knows
the root password can ssh in directly (without having to go via a user
account). If you set it to no, then they must compromise a normal user
account. In the vast majority of cases, this does not give added
security; remember that any account you su to root from is equivalent
to root - compromising this account gives an attacker access to root
easily. If you only ever log in as root from the physical console,
then you probably want to set this value to no.
As an aside, PermitRootLogin can also be set to "without-password" or
"forced-commands-only" - see sshd(8) for more details.
DO NOT FILE BUG REPORTS SAYING YOU THINK THIS DEFAULT IS INCORRECT!
The argument above is somewhat condensed; I have had this discussion
at great length with many people. If you think the default is
incorrect, and feel strongly enough to want to argue with me about it,
then send me email to matthew@debian.org. I will close bug reports
claiming the default is incorrect.
You can change the setting in /etc/ssh/sshd_config, along with many
other pieces of sshd configuration; however, I'm afraid we will not be
adding a debconf question for this. (There are already more than enough,
and we want to reduce the list, not add to it.)
Cheers,
--
Colin Watson [cjwatson@flatline.org.uk]
Reply to: