current-users: Re: sshd Change: PermitRootLogin = no

Subject: Re: sshd Change: PermitRootLogin = no
To:

, Curt Sampson <cjs@cynic.net>
From: Bill Studenmund <wrstuden@netbsd.org>
List: current-users
Date: 08/30/2001 11:45:29

On Fri, 31 Aug 2001, Curt Sampson wrote:

> Before we started shipping ssh with NetBSD, our default security policy
> regarding authenticating as root using the root password was that you
> first had to be able to authenticate as a user in the wheel group or
> be at a secure terminal. (This was implemented by making most terminals
> insecure and putting root in the wheel group.) Distributing ssh appears
> to have inadvertantly changed that, since ssh's default policy as shipped
> is to allow direct root logins.
>
> In order to bring us back to the state we were in before I've changed
> the default sshd_config file (which is installed as /etc/sshd.conf)
> to have the "PermitRootLogin" option set to "no". From this point on,
> if you use direct root logins from the network via ssh, you will want
> to flip this option back after new installs or re-installs in /etc.

Where was the discussion of this change before it happened?

I ask because you have implicitly assumed that ssh connections don't count
as "secure" terminals. That assumption differs from my thoughts on the
matter, and evidently from the thoughts of the ssh maintaners. Why don't
they?

Also, you have changed an option and said, if you want it the old way,
change it after an install. Yet you didn't try and find out what portion
of the NetBSD population will be affected. If most folks want to have no
root-logins the default, I'll hush. But if most folks want them, doesn't
it make more sense to leave things as they were?

Thirdly, I can see one definite advantage to allowing root logins over
ssh.  When a machine gets to the process limit, non-root users won't be
alowed to make new processes. Among other things, as I understand it, if
you're not root, no login. The kernel will, though, let root fork until
the absolute limit is reached. So there's a usage window where a root-ssh
can get in to fix things that a regular user su'ing to root can't. Yes, it
doesn't happen often, but it's an advantage. :-)

I guess my main irritation is that ssh used to do what I wanted right out
of the box. Then the defaults got changed by the openssh folks. Now NetBSD
is adding its own, annoying default change.

Take care,

Bill