Review for "PermitRootLogin without-password" change

To: debian-l10n-english@lists.debian.org
Cc: debian-ssh@lists.debian.org
Subject: Review for "PermitRootLogin without-password" change
From: Colin Watson <cjwatson@debian.org>
Date: Thu, 20 Mar 2014 01:48:33 +0000
Message-id: <[🔎] 20140320014833.GC32733@riva.ucam.org>
Mail-followup-to: debian-l10n-english@lists.debian.org, debian-ssh@lists.debian.org

After (how can I put it) extensive and heated discussion over many
years, I intend to change sshd_config in new installations of
openssh-server to use "PermitRootLogin without-password" rather than
"PermitRootLogin yes".  I have been considering what to do about
upgrades.  Loath though I am to ask more questions of the user, writing
the README.Debian documentation for this is making me come round to the
belief that I probably ought to.  (This is a shame since I'd only
recently managed to get rid of the last old and crufty uses of debconf
in openssh, but there you go.)

I'm considering asking the following via debconf, probably at priority
high, and would like review of the text before inflicting it on
translators.

  Templates: openssh-server/permit-root-login
  Type: boolean
  Default: false
  _Description: Disable SSH password authentication for root?
   Previous versions of openssh-server permitted logging in as root over SSH
   using password authentication. The default for new installations is now
   "PermitRootLogin without-password", which disables password authentication
   for root without breaking systems that have explicitly configured SSH
   public key authentication for root.
   .
   This change makes systems more secure against brute-force password
   dictionary attacks on the root user (a very common target for such
   attacks). However, it may break systems that are set up with the
   expectation of being able to SSH as root using password authentication. You
   should only make this change if you do not need to do that.


Caveats:

I'm a native British English speaker, Northern Irish dialect mutated by
fifteen years of living in England.  Usually not very much dialect
creeps through into my technical writing, but, you know, advance warning
and all that.

I normally prefer two spaces after sentence-final full stops, and I
followed that in README.Debian, but my recollection is that
debian-l10n-english@ usually prefers one space in debconf template text
so I went with that style here.  Let me know if I've misremembered or if
this has changed.

I've taken the linguistic liberty of using "SSH" as a verb in the second
paragraph, because "log in over SSH" gets clunky after the first use.
This is pretty commonplace jargon and I think it's clear in context.


For context as much as for review, here's the new text I currently plan
to include in README.Debian:

  PermitRootLogin
  ---------------
  
  As of 1:6.6p1-1, new installations will be set to "PermitRootLogin
  without-password".  This disables password authentication for root, foiling
  password dictionary attacks on the root user.  Some sites may wish to use
  the stronger "PermitRootLogin forced-commands-only" or "PermitRootLogin no",
  but note that "PermitRootLogin no" will break setups that SSH to root with a
  forced command to take full-system backups.  You can use PermitRootLogin in
  a Match block if you want finer-grained control here.
  
  For many years Debian's OpenSSH packaging used "PermitRootLogin yes", in
  line with upstream.  To avoid breaking local setups, this is still true for
  installations upgraded from before 1:6.6p1-1.  If you wish to change this,
  you should edit /etc/ssh/sshd_config, change it manually, and run "service
  ssh restart" as root.
  
  Disabling PermitRootLogin means that an attacker possessing credentials for
  the root account (any credentials in the case of "yes", or private key
  material in the case of "without-password") must compromise a normal user
  account rather than being able to SSH directly to root.  Be careful to avoid
  a false illusion of security if you change this setting; any account you
  escalate to root from should be considered equivalent to root for the
  purposes of security against external attack.  You might for example disable
  it if you know you will only ever log in as root from the physical console.
  
  Since the root account does not generally have non-password credentials
  unless you explicitly install an SSH public key in its
  ~/.ssh/authorized_keys, which you presumably only do if you want to SSH to
  it, "without-password" should be a reasonable default for most sites.
  
  For further discussion, see:
  
    https://bugs.debian.org/298138
    https://bugzilla.mindrot.org/show_bug.cgi?id=2164


Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]

Reply to:

Follow-Ups:
- Re: Review for "PermitRootLogin without-password" change
  - From: Christian PERRIER <bubulle@debian.org>
- Re: Review for "PermitRootLogin without-password" change
  - From: Justin B Rye <justin.byam.rye@gmail.com>
- Re: Review for "PermitRootLogin without-password" change
  - From: Matthew Vernon <matthew@debian.org>
- Re: Review for "PermitRootLogin without-password" change
  - From: James Cloos <cloos@jhcloos.com>
- Re: Review for "PermitRootLogin without-password" change
  - From: Matthew Vernon <matthewv@chiark.greenend.org.uk>

Prev by Date: Bug#298138: ssh: PermitRootLogin should defaul to "no"
Next by Date: Re: Review for "PermitRootLogin without-password" change
Previous by thread: Bug#298138: ssh: PermitRootLogin should defaul to "no"
Next by thread: Re: Review for "PermitRootLogin without-password" change
Index(es):
- Date
- Thread