On Tue, 4 Sep 2001, Greg A. Woods wrote:

> [ On Sunday, September 2, 2001 at 23:51:06 (-0700), Bill Studenmund wrote: ]
> > Subject: re: sshd Change: PermitRootLogin = no
> >
> > Yes, actually, it is about whether ssh is secure enough. Because as I said
> > in a note to Curt, for years we have babbled on (when talking about
> > default configs, etc.) about "secure" terminals, not "physically local"
> > ones. So if ssh gives us a connection which "we" consider "secure", then
> > we *are* being consistent within our own tools in allowing root to login.
>
> Yeah, _HOWEVER_ nothing but the physical console is marked to be
> "secure" BY DEFAULT on NetBSD.  Turning PermitRootLogin off _IS_
> consistent with past policy!!!!

No, for two reasons. 1) We do have things other than the physical console
marked "secure" in /etc/ttys by default. 2) The model of /etc/ttys really
doesn't fit with network logins (secure or insecure). We don't even mark
network connections (well pty's) as "on" or "off"! They don't fit the
model. So saying that this change makes sense because pty's don't fit one
part of the /etc/ttys model, while pty's don't fit other parts of said
model, doesn't make sense.

I mean, is there ever a time any sane person would ever mark a pty as
"secure" in /etc/ttys? That would be such a glaring security hole (I can
go into details if you like) that the fact no one does it is not (IMHO) a
reasonable reason to justify any change to ssh's setup. Using "secure"
wiht a pty is a hole as glaringly open as say making /bin and /sbin and
/usr world writable!

Come on, if we're going to make changes, let's have better ones than this!
:-)

Take care,

Bill