Subject: re: sshd Change: PermitRootLogin = no
To: matthew green <mrg@eterna.com.au>
From: Bill Studenmund <wrstuden@netbsd.org>
List: tech-security
Date: 09/02/2001 23:51:06
On Sat, 1 Sep 2001, matthew green wrote:

>    	do you really want to change the DEFAULT behavior, or do you happy with
>    	changing sshd.conf locally?  i don't see your point.  if you believe
>    	secure shell protocol is secure enough, it should be okay to set
>    	PermitRootLogin to yes.  if there's any buffer overrun or other
>    	vulnerability, root privilege will get compromized anyways regardless
>    	from PermitRootLogin.  what kind of middle ground are you aiming for?
>
>
>
> the issue isn't about whether ssh is secure enough for not.  it's about
> being *consistent* within our own set of tools.

Yes, actually, it is about whether ssh is secure enough. Because as I said
in a note to Curt, for years we have babbled on (when talking about
default configs, etc.) about "secure" terminals, not "physically local"
ones. So if ssh gives us a connection which "we" consider "secure", then
we *are* being consistent within our own tools in allowing root to login.

> until ssh was integrated into netbsd, it was virtually impossible for
> anyone to login as root except on the console, until that ability was
> configured by the sysadmin.  ie:
>
> 	- add users
>
> 	- add users to group wheel (or remote all entries from group
> 	  wheel)
>
> 	- tell users root password.

Uhm, it still is as you described. By default, we do not enable sshd. So
for someone to be able to log in as root via ssh, the admin had to sit at
the above mentioned console and enable ssh.

> and still they could only access root via a physical console or after
> having already authenticated themselves.  when ssh was integrated, all
> that one needs is for sshd to be enabled and the root password to be
> known.  this *totally* changes the NetBSD default.  and that's why it
> has been changed to not permit root login.  *not* ssh vs. anything else
> but *self consistency in NetBSD*.

"Self consistency" does not cut it as a reason. What we had before was
arguably self consistent (as evidenced by the fact I am arguing that it
was self consistent :-) .

(this next part to a more general audience than Matt) Did anyone really
ask about this before the change was made? From what I gather, there was a
thread on port-i386 and on icb. While these are both fine forums, they
strike me as rather inappropriate places to discuss security issues. After
all, isn't that what tech-security is for??

Take care,

Bill