Curt Sampson wrote:

>On Sat, 1 Sep 2001 itojun@iijlab.net wrote:
>
>>	i don't see your point.  if you believe
>>	secure shell protocol is secure enough, it should be okay to set
>>	PermitRootLogin to yes.
>>
>
>No, I don't believe secure shell protocol is secure enough. "We",
>being the NetBSD project, only allowed direct root logins for those
>with physical access to the machine (where you hardly need even a root
>password to get root). Ssh allows people to attempt logins remotely.
>
Ssh in this case uses a different policy.

The approach openssh is taking is pragmatic.

1) You're the admin, don't let your root password be compromised.

2) You're the admin -- most of the time you want to be able to get
   onto your boxes right after install.

3) You're the admin.  You're not stupid enough to have let the root
   passwd get out.

Realistically, in this case we are talking about a default that is
pragmatic, and creates no new vulnerability because the admin is smart. 
If he's not smart, then a block on which tty can login as root is 
not going to help much.

>>	if there's any buffer overrun or other
>>	vulnerability, root privilege will get compromized anyways regardless
>>	from PermitRootLogin.  what kind of middle ground are you aiming for?
>>
>
>Please re-read my commit message carefully, as well as the various
>messages here to see what the security policy was (and now is again),
>exactly.
>
>cjs
>
- Kevin