[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#298138: ssh: PermitRootLogin should defaul to "no"

On Sat, March 5, 2005 02:41, Matthew Vernon said:
> Please read README.Debian before submitting your bug reports - this is
> good practice for any package, not just ssh.

You're absolutely correct, I should have done that, sorry.

If you permit, I'd like to ask a question about this. To me, the text in
README.Debian is not clear on the following point: how is allowing root
login just as secure as not allowing that?

You write:
"If you set it to no, then they must compromise a normal user
account. In the vast majority of cases, this does not give added
security; remember that any account you su to root from is equivalent
to root - compromising this account gives an attacker access to root

As I understand this, the hacker has to do the following to gain superuser

1. Know the root password.
1. Compromise a normal user account (one that allows su-ing).
2. Know the root password or a local root exploit.

The second one is hence more difficult than the first one (compromising
two accounts is inherently more difficult than one). Step (1) can be more
challenging because you need to know a valid username (also not always
trivial since systems are configured by default not to leak this

So to me it just seems to add some extra security to the whole thing,
doesn't it?

I've done some web searching and found out that many security documents /
HOWTO's / manuals advise to turn this off. And found none that actually
advise to turn it on.

Secondly, I don't see the great advantage of turning it on. You might
argue whether turning it off makes things more secure or not, but in the
worst case it's at least just as secure as turning it off. I don't see a
good reason to allow remote root logins *by default* to newly installed
boxes, and those who have a good reason to want it can easily turn it on.

I'm interested in your views on this matter.


Thijs Kinkhorst

Reply to: