Subject: Re: sshd Change: PermitRootLogin = no
To: None <tech-security@netbsd.org, current-users@netbsd.org>
From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
List: current-users
Date: 09/01/2001 10:54:12
[cc's trimmed down]

"what matt said".

Reasonable folks may disagree as to whether it's appropriate to permit
direct root logins under various circumstances and types of
authentication.

That's not the issue here; the issue is what the *default
configuration* as shipped by NetBSD should be.

At least in my experience the "best practice" for security defaults
is, unquestionably, "when in doubt, turn it off".

I'd actually go so far as to say that the default sshd config file
should disable *all* authentication methods, forcing the administrator
to choose which of the dozens of different authentication methods are
appropriate for their environment.

					- Bill