Subject: Re: PermitRootLogin in SSHd (WAS: Re: Telnet logins)
To: None <lavalamp@burghcom.com>
From: Tim Preston <tim@flibble.org>
List: port-i386
Date: 08/20/2001 14:22:40
Brian Seklecki wibbled one day
> Not to nitpick, but in a vacuum, you can ssh into a system as root, but
> in production, you would probably never want to permit anyone to do that
> (even/especically if you're using RSA/DSA key authentication). The only
> somewhat safe way I can see that implemented would be in combination
> with hostname based ACLs.
I've worked in a production environment where ssh as root via RSA
key authentication was the main access into the boxes I was looking
after (the only other acess methods were for use when that one wasn't
usable). Given the particulars of that environment I agree with the
policy.
> In fact, I cast a vote for setting PermitRootLogin to FALSE in the
> default sshd_config.
Personally I don't think it's that clear cut, but we are only talking
about a default shipping configuration here...
--
I'm back...