Brian Seklecki wibbled one day

> Not to nitpick, but in a vacuum, you can ssh into a system as root, but
> in production, you would probably never want to permit anyone to do that
> (even/especically if you're using RSA/DSA key authentication).  The only
> somewhat safe way I can see that implemented would be in combination
> with hostname based ACLs.

I've worked in a production environment where ssh as root via RSA
key authentication was the main access into the boxes I was looking
after (the only other acess methods were for use when that one wasn't
usable). Given the particulars of that environment I agree with the
policy.


> In fact, I cast a vote for setting PermitRootLogin to FALSE in the
> default sshd_config.

Personally I don't think it's that clear cut, but we are only talking
about a default shipping configuration here...


-- 
I'm back...