Bzzzz wrote: > Bob Proulx wrote: > > Personally I always use a strong password for root, only very > > rarely log in as root using a password, > > mostly use ssh rsa keys with a strong passphrase for remotely > > logging in, but do allow remote root login. > > ? You don't need a password (except for local login, > œuf corse), only to record the distant root RSA key > into $HOME/.ssh/authorized_keys and allow key remote > login. Yes. That is why the new Debian default is "without-password" as documented in the README.Debian file. A good default for most uses. That is why I said "personally" in the above. It is my personal choice. I acknowledge that others feel differently. Just to plug a good tool I like using pwgen to generate truly random passwords. A long random password is sufficiently difficult to exploit. If you are using passwords that are easy to crack then they should definitely be disabled. Here is an example: $ pwgen 16 1 au6fiegieCh5shio > Which has been repeatedly discussed in Debian and is > sure (even for root). Unless due to system breakage that fails to work right when you need it. And then the only way in is the password. Or a long flight/drive to get hands-on physical access to the remote machine. For those terrified of root being able to log in then it is your choice to disable it. Please feel free to do so. Just remember that the only truly safe computer is one that is powered off. This next reference is about firewalls but it feels like it can apply here too. http://www.ranum.com/security/computer_security/papers/a1-firewall/index.html Bob
Attachment:
signature.asc
Description: Digital signature