port-i386: Re: PermitRootLogin in SSHd (WAS: Re: Telnet logins)

Subject: Re: PermitRootLogin in SSHd (WAS: Re: Telnet logins)
To: David Maxwell <david@vex.net>
From: Brian A. Seklecki <lavalamp@burghcom.com>
List: port-i386
Date: 08/27/2001 23:40:58

Actually, OpenBSD OpenSSH 2.9p2 ships with X11 forwarding and Permit
RootLogin set to true/on

For the record, at work I am upgrading 50+ Sun boxen to 2.9p2.  I am
individually identifying machines that are currently using RSA/DSA key
based authentication.  If the file system doesn't contain
"*authorized_keys*", the machine will have the following key values in the
config:

> PermitRootLogin no
> PermitEmptyPasswords no
> X11Forwarding no
> RSAAuthentication no

If it becomes a problem at a later date (i.e., our I.S. team wants to
clusterfaq the boxes with remotely executed scripts), we can re-enable
these features at a late date.

We all know that we sleep better knowing that these superfluous features
are disabled, especially when there are more important things to worry
about (like Sendmail bugs).

Certainly some of the same reasoning applies to the default NetBSD
installation.

"Risk management, not avoidance"

--Brian

On Mon, 27 Aug 2001, David Maxwell wrote:

> On Mon, Aug 27, 2001 at 04:28:22PM -0700, Andrew Gillham wrote:
> > On Mon, Aug 27, 2001 at 05:40:54PM -0400, David Maxwell wrote:
> > >
> > > Not quite the same thing - as using telnet to login as root is only
> > > slightly better than writing your root password on the nearest bathroom
> > > door. ("For a good time, login...")
> >
> > Even with the '-x' option?  I thought kerberos was supposed to be secure?
>
> The default config of the daemon supports plaintext logins - and there's
> no guarantee that -x is available in your telnet client implementation.
>
> Also, disabling root logins was done back when telnetd was enabled in a
> standard installation, so the defaults were picked with that in mind.
> The fact that there may be a safe way to use telnet doesn't make it okay
> to ignore that it's likely to be used unsafely.
>
> For that matter, compare OpenSSH's choice to remove the 'none' cipher,
> to prevent people from unsafely using a 'Secure Shell'.
>
> --
> David Maxwell, david@vex.net|david@maxwell.net --> Mastery of UNIX, like
> mastery of language, offers real freedom. The price of freedom is always dear,
> but there's no substitute. Personally, I'd rather pay for my freedom than live
> in a bitmapped, pop-up-happy dungeon like NT. - Thomas Scoville
>
>
>

--Brian

 ----

"GNU/Linux: About as stable as the elements at the bottom of the periodic
table"