On Mon, Jan 27, 2003, Vinod Kutty wrote: > > Just a suggestion: > > Would it make sense to have the default, out-of-the-box config of > openssh's sshd_config use these options: > > UsePrivilegeSeparation yes (current default = no) > PermitRootLogin no (current default = yes) > > in order to make the default config a little more "secure" (whatever that > means 8-) )? > > Currently, the openpkg 1.1.x and 1.2 packaging of openssh 3.4p1 and 3.5p1 > use the above defaults in parentheses. The vanilla openssh appears to set > "UsePrivilegeSeparation yes". > We tried using "UsePrivilegeSeparation" (see http://cvs.openpkg.org/chngview?cn=3611) when there was a strong urge improving OpenSSH in March and June 2002 (see http://www.openpkg.org/security/OpenPKG-SA-2002.002-openssh.html and http://www.openpkg.org/security/OpenPKG-SA-2002.005-openssh.html) However, we had to find out that this new feature was incompatible with compression on some and PAM on all platforms, so we reverted back to the old fashion way (see http://cvs.openpkg.org/chngview?cn=3718). You can easily find more details by having a look at the timeline of openssh.spec (see http://cvs.openpkg.org/rlog?f=openpkg-src/openssh/openssh.spec). When we did research on using that new feature we had to find out it breaks the OpenPKG design goal of supporting different UNIX flavours equally. I do not currently believe it's time for another try, but we'll watch that issue.
Regarding "PermitRootLogin" you're right. The OpenPKG default comes from the fact that the origin of OpenPKG is a ISP environment where OpenSSH is usually installed for remotely manage machines and this is mostly done (or started and then "su - cw" :-) using the root account. If we change that default, we would have to manually do that configuration on every installation. However, it seems Ralf already made the decision to follow your suggestion. -- [EMAIL PROTECTED] Development Team, Application Services, Cable & Wireless Deutschland GmbH ______________________________________________________________________ The OpenPKG Project www.openpkg.org User Communication List [EMAIL PROTECTED]
