Bug#431627: marked as done (ssh: PermitRootLogin yes??)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Tue, 03 Jul 2007 23:54:05 +0100
with message-id <1183503246.6906.18.camel@kaa.jungle.aubergine.my-net-space.net>
and subject line Bug#431627: ssh: PermitRootLogin yes??
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: ssh: PermitRootLogin yes??
• From: Bob Tanner <tanner@real-time.com>
• Date: Tue, 03 Jul 2007 17:17:16 -0500
• Message-id: <[🔎] 20070703221716.24844.80345.reportbug@localhost.localdomain>

Package: ssh
Version: 1:4.6p1-3
Severity: important

Did a new install of lenny amd64 and I was surprised that 'PermitRootLogin yes'
was default setting in /etc/ssh/sshd_config. Is there a reason for this? Seem
insecure.


-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'oldstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.20-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash

Versions of packages ssh depends on:
ii  openssh-client              1:4.6p1-3+b1 secure shell client, an rlogin/rsh
ii  openssh-server              1:4.6p1-3+b1 secure shell server, an rshd repla

ssh recommends no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

• To: Bob Tanner <tanner@real-time.com>, 431627-done@bugs.debian.org
• Subject: Re: Bug#431627: ssh: PermitRootLogin yes??
• From: "Adam D. Barratt" <debian-bts@adam-barratt.org.uk>
• Date: Tue, 03 Jul 2007 23:54:05 +0100
• Message-id: <1183503246.6906.18.camel@kaa.jungle.aubergine.my-net-space.net>
• In-reply-to: <[🔎] 20070703221716.24844.80345.reportbug@localhost.localdomain>
• References: <[🔎] 20070703221716.24844.80345.reportbug@localhost.localdomain>

Hi,

On Tue, 2007-07-03 at 17:17 -0500, Bob Tanner wrote:
> Package: ssh
> Version: 1:4.6p1-3
> Severity: important
> 
> Did a new install of lenny amd64 and I was surprised that 'PermitRootLogin yes'
> was default setting in /etc/ssh/sshd_config. Is there a reason for this? Seem
> insecure.

As far as I can see, it's been the default since January 2003. Please
see README.Debian. Specifically:

        Having PermitRootLogin set to yes means that an attacker that
        knows
        the root password can ssh in directly (without having to go via
        a user
        account). If you set it to no, then they must compromise a
        normal user
        account. In the vast majority of cases, this does not give added
        security
        [...]
        DO NOT FILE BUG REPORTS SAYING YOU THINK THIS DEFAULT IS
        INCORRECT!
        
        The argument above is somewhat condensed; I have had this
        discussion
        at great length with many people. If you think the default is
        incorrect, and feel strongly enough to want to argue with me
        about it,
        then send me email to matthew@debian.org. I will close bug
        reports
        claiming the default is incorrect.

I'm closing this report on the assumption that Colin's opinion is
similar. If not the documentation should be updated (which it probably
should be to remove Matthew's address anyway :)

Regards,

Adam

--- End Message ---