Alain Tesio wrote: > > Aussi regardes les commentaires du dernier thread sur > DebianPlanet, il semble que l'update change la config > de sshd sur potato et autorise un login root. > Oui, le login root est autoris�. Le mainteneur de ssh en a decid� ainsi suite � une longue discution, il clot tous les rapports de bug se rapportant � cette fonctionnalit�.
Cf : /usr/share/doc/ssh/README.Debian.gz PermitRootLogin set to yes -------------------------- This is now the default setting (in line with upstream), and people who asked for an automatically-generated configuration file when upgrading from potato (or on a new install) will have this setting in their /etc/ssh/sshd_config file. Should you wish to change this setting, edit /etc/ssh/sshd_config, and change: PermitRootLogin yes to: PermitRootLogin no Having PermitRootLogin set to yes means that an attacker that knows the root password can ssh in directly (without having to go via a user account). If you set it to no, then they must compromise a normal user account. In the vast majority of cases, this does not give added security; remember that any account you su to root from is equivalent to root - compromising this account gives an attacker access to root easily. If you only ever log in as root from the physical console, then you probably want to set this value to no. As an aside, PermitRootLogin can also be set to "without-password" or "forced-commands-only" - see sshd(8) for more details. DO NOT FILE BUG REPORTS SAYING YOU THINK THIS DEFAULT IS INCORRECT! The argument above is somewhat condensed; I have had this discussion at great length with many people. If you think the default is incorrect, and feel strongly enough to want to argue with me about it, then send me email to [EMAIL PROTECTED] I will close bug reports claiming the default is incorrect. Derni�re chose qui ma surpris, j'ai pu me connecter � une machine (sur laquelle j'ai un compte) avec un login d'un utilisateur ayant "/bin/false" comme shell. Je suis arriv� dans mon repertoire home. Ce qui m'a fais ajouter dans le fichier "/etc/pam.d/ssh" la ligne : auth required pam_shells.so Une autre personne peut-elle tester ? -- ============================================== | FREDERIC MASSOT | | http://www.juliana-multimedia.com | | mailto:[EMAIL PROTECTED] | ===========================Debian=GNU/Linux=== -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
