On Jul 10, 2008, at 9:19 PM, "Brian A. Seklecki" <[EMAIL PROTECTED]
> wrote:
On Thu, 10 Jul 2008, Jacob Yocom-Piatt wrote:
maybe if people actually READ THE ARCHIVES, they'd be better
informed. i wish this mailing list
There is a security risk / attack vector here, however remote,
without password quality and failed-login tarpid/delay mechanisms, a
remote root password is subject to brute force.
Plus, hypothetically, how strong is a temporary root password going
to be? Its not going to be the one that you use in production, so
likely you're going to recycle the same one after every install.
Don't be stupid. Problem solved.
- Yes qualified administrators filter sshd(8) w/ pf(4)
- Yes qualified administrators choose strong passwords
- Yes qualified administrators disable PermitRootLogin afterboot
- Yes qualified administrators always use sudo(8) and never use
root shells
I propose, as a compromise, wrapping PermitRootLogin around a Match
statement, limited to the default local subnet gleaned during the
install network config (no "LocalSubnets" macro exists in sshd_config
(5), afaik, but that would be best)
Its just the right thing to do; and we should be leading by example.
Either way, its a healthy discussion worth having.
~~BAS
PermitStupidEmails No
as the default.
i really fail to see how this setting does anything other than make
mgmt types worry because they don't really understand security.
On Thu, Jul 10, 2008 at 01:38:22PM -0400, Brian A. Seklecki wrote:
On Thu, 10 Jul 2008, Marco Peereboom wrote:
Of course it is enabled by default. Why do I want a box that is
freshly installed and unreachable?
No -- I just find that most of afterboot(8) can be done from the
console; even serial console, at first boot, configure the
network, add a non-root user, add them to wheel, enable sshd.
I guess I'm just having trouble imagining the situation where you
have console access, but need to do basic post-install
configuration via the network, as root, remotely.
Even with CF/Embedded, you ship out master.passwd prepopualted.
And this is likely the rationel why the rest of the projects
changed it.
~~BAS
On Thu, Jul 10, 2008 at 10:35:06AM -0400, Brian A. Seklecki wrote:
Am I reading this right?
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80&content-type=text/x-cvsweb-markup
I dont have a fresh install anywhere -- but I want to say that
it doesnt
default to PermitRootLogin yes after the install.
I remember that I filed PRs with FreeBSD/NetBSD a few years ago
to get this
changed, but Redhat Support is giving some some noise about:
"Well the source vendor doesn't disable it by default ..."
~BAS
l8*
-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
http://www.spiritual-machines.org/
"Guilty? Yeah. But he knows it. I mean, you're guilty.
You just don't know it. So who's really in jail?"
~Maynard James Keenan
