tech-install: Re: sshd won't allow access by root

Subject: Re: sshd won't allow access by root
To: None <tech-install@netbsd.org>
From: William Allen Simpson <wsimpson@greendragon.com>
List: tech-install
Date: 09/28/2002 13:20:45
Roland Dowdeswell wrote:
> 
> Yes, it appears that the documentation does not match the src.
> I've just submitted a PR to resolve this issue.  And checked in a
> fix to the man page into current.  I'll request that the documentation
> change be pulled up to the release branches.  This will at least
> take care of the documentation issues.
> 
Well, that was quick -- although I just looked for the PR, and cannot 
find it.  Does it take awhile to appear online?


> Whether this is the correct setting is another discussion of course.
> The rational behind the decision is to make the behaviour of sshd
> consistent with the rest of the system which does not allow root
> to log in w/ a passwd from anything but the console.
> 
> I would certainly go as far as to suggest that for actual consistency,
> we should make the setting ``without-password'' rather than ``no'',
> because via krb5 for example, you can log in as root over telnetd
> on an insecure tty.  Granted though, that in that case I'd be coming
> in as elric/root@IMRRYR.ORG and so there's more of an audit trail.
> 
Better yet, make ssh like kerberos, since ssh is arguably simpler and more 
secure.  It would sure save a lot of headaches.  

How are these decisions made?  Which list?  By whom?


> We should probably change the comments in the default sshd_config
> to match the change in defaults as well.
> 
Yes, and add caveats to INSTALL (Post installation steps 2 and/or 3), 
where it talks about using root without a password, and setting up 
user accounts. 

(It is pretty amazing to me that on the one hand, recent changes allow 
root without a password; while on the other, recent changes restrict 
ssh from accessing root.)

And, in "Initialization and Services Control", a mention about needing to 
configure users before adding sshd to rc.config would be helpful, since 
all of the examples are with root, but you cannot actually execute them 
via ssh.  Presumably, they all need to be re-written with su.

Also, in "Tracking NetBSD -current", although it does mention fixing 
permissions in setting up step 6, there's no discussion how this works 
from a non-root account in the first place. 

Similar problems in Guide "Chapter 18. Obtaining sources by CVS".

There are a lot of "unintended consequences" to making a decision like 
this new ssh restriction....

-- 
William Allen Simpson
    Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32