Hi, how about this one:
PermitRootLogin 192.168.1 Should any of the SSH maintainers be reading this: possible new SSH feature? Bill On Thu, 2006-11-23 at 12:24 +0100, Igor Sobrado wrote: > Hi again! > > I have a question on the default behaviour of OpenSSH. Please, do not > understand that I am complaining on it or trying to change its behaviour > in relation with remote root logins allowed by default on OpenSSH (but > I certainly believe it would be nice, that is the reason I write this > message to the misc@ mailing list). Just want to share my opinion with > the members of this mailing list. > > First of all, I understand that remote root logins can be easily > avoided by setting "PermitRootLogin" to "no" in /etc/ssh/sshd_config. > I guess that remote root logins are allowed by default to simplify > management of small network appliances that do not have user accounts > on them. But these appliances are only a small number of all OpenBSD > installations and, even if this number is not so small, a restricted > (non-root) account in the group wheel and probably in the group operator > too, on these devices is advisable to avoid damaging these appliances > by mistake. > > In my humble opinion, there are three reasons to deny remote root logins > by default: > > 1. Remote root login enabled by default makes the wheel group > superfluous (i.e., why are used added to the wheel group when > a user not in this group can log in as root, once the root > password is known to him, by just typing "ssh [EMAIL PROTECTED]"?) > > 2. There are a lot of threats against the root account based in > brute force attacks. Most of us see logs on this matter in our > workstations and servers. Sometimes these threats, done by > humans, network scanners or even worms, are successful. It is > just a matter of (bad) luck. > > 3. OpenBSD is "secure by default"; all services should be configured > to the most secure defaults. I think that this reason is as good > as the previous ones. And not allowing remote root logins by > default makes sense to me in relation with this goal. > > Someone that really wants to allow remote root logins should be able to > enable this feature just changing /etc/ssh/sshd_config. But, in my > humble opinion, most users do not really want this dangerous feature > enabled by default. And, even on small network appliances, an unprivileged > account in the wheel group (and even in the operator group) is a good > management practice. > > [please, send copies of replies to this post to me if possible. I will > do my best to answer any post, even if not sent to me, but it will be > more difficult tracking who sent the message I am replying to.] > > Cheers, > Igor.
