Subject: Re: sshd Change: PermitRootLogin = no
To: Steven M. Bellovin <smb@research.att.com>
From: Curt Sampson <cjs@cynic.net>
List: tech-security
Date: 09/07/2001 12:40:34
On Thu, 6 Sep 2001, Steven M. Bellovin wrote:
> I personally administer four NetBSD machines, not 300 -- but even with 2,
> I want a better way to handle patches and upgrades. No two of my four
> machines have a consistent set of patches, a fact I'm not proud of.
Mmmm, well, "PermitRootLogin yes" isn't *quite* a full solution to this
problem. :-)
> >Or has this thread changed from a discussion of what NetBSD should ship
> >with as a default to what individual admins should set (or be compelled
> >to set) at their sites?
>
> I think that that's the wrong question. I want to know what NetBSD
> should do structurally so that either choice is safe.
Maybe this:
Modify ssh so that if you log in as root, you must authenticate twice,
once as a user in the wheel group, and once as root. You'd be able to
use any of the standard authentication methods (password, key, etc.) for
each authentication, of course.
cjs
--
Curt Sampson <cjs@cynic.net> +81 3 5778 0123 http://www.netbsd.org
Don't you know, in this new Dark Age, we're all light. --XTC