On Tue, 4 Sep 2001, Bill Studenmund wrote:

> By your understanding of the policy NetBSD has had. By my understanding,
> we have required these logins happen over "secure" ttys. And in my book,
> ssh connections (with the right levels of security) count as "secure",
> thus there was no inconsistency.

Well, you can make up whatever definition of "secure" you like. But your
interpretation does not seem to be the logical one, given that:

    1. The ptys that ssh uses have never been marked as "secure"
    in /etc/ttys.

    2. Even if you added "secure" to the definition lines, they still
    would not be marked as "secure" because they're not "on".

    3. Telnet uses those exact same ptys for the same purpose, and did
    not and does not allow direct root logins on them.

> You've dived into a policy decision. You are more than welcome to want to
> require that for your sites, but a number of admins have decided that
> knowing whomever acts as root is one of the root-accepted people (someone
> who is supposed to know the password), things are fine.

I don't understand why you make this point. I think pretty much everyone
here agrees with you that admins can and should use whatever settings
for ssh best suits them, and this change certainly does not prevent that.
So what are you trying to say?

cjs
-- 
Curt Sampson  <cjs@cynic.net>   +81 3 5778 0123   http://www.netbsd.org
    Don't you know, in this new Dark Age, we're all light.  --XTC