Bug#431627: marked as done (ssh: PermitRootLogin yes??)
Your message dated Tue, 03 Jul 2007 23:54:05 +0100
with message-id <1183503246.6906.18.camel@kaa.jungle.aubergine.my-net-space.net>
and subject line Bug#431627: ssh: PermitRootLogin yes??
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: ssh
Version: 1:4.6p1-3
Severity: important
Did a new install of lenny amd64 and I was surprised that 'PermitRootLogin yes'
was default setting in /etc/ssh/sshd_config. Is there a reason for this? Seem
insecure.
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'oldstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.20-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Shell: /bin/sh linked to /bin/bash
Versions of packages ssh depends on:
ii openssh-client 1:4.6p1-3+b1 secure shell client, an rlogin/rsh
ii openssh-server 1:4.6p1-3+b1 secure shell server, an rshd repla
ssh recommends no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Hi,
On Tue, 2007-07-03 at 17:17 -0500, Bob Tanner wrote:
> Package: ssh
> Version: 1:4.6p1-3
> Severity: important
>
> Did a new install of lenny amd64 and I was surprised that 'PermitRootLogin yes'
> was default setting in /etc/ssh/sshd_config. Is there a reason for this? Seem
> insecure.
As far as I can see, it's been the default since January 2003. Please
see README.Debian. Specifically:
Having PermitRootLogin set to yes means that an attacker that
knows
the root password can ssh in directly (without having to go via
a user
account). If you set it to no, then they must compromise a
normal user
account. In the vast majority of cases, this does not give added
security
[...]
DO NOT FILE BUG REPORTS SAYING YOU THINK THIS DEFAULT IS
INCORRECT!
The argument above is somewhat condensed; I have had this
discussion
at great length with many people. If you think the default is
incorrect, and feel strongly enough to want to argue with me
about it,
then send me email to matthew@debian.org. I will close bug
reports
claiming the default is incorrect.
I'm closing this report on the assumption that Colin's opinion is
similar. If not the documentation should be updated (which it probably
should be to remove Matthew's address anyway :)
Regards,
Adam
--- End Message ---
Reply to: