Re: sshd_config(5) PermitRootLogin yes
You can setup weak root password during install ;-) There is no test,so I can use root,password,admin and so on. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Giancarlo Razzolini Sent: Thursday, July 10, 2008 8:16 PM To: Paul de Weerd Cc: Brynet; misc@openbsd.org Subject: Re: sshd_config(5) PermitRootLogin yes Paul de Weerd escreveu: On Thu, Jul 10, 2008 at 01:21:20PM -0400, Brynet wrote: The keyword here is *default*. Say you installed OpenBSD on a soekris, it's nice having root enabled temporarily. That way you can login at a later time, create a lesser privledged account, edit the sudoers file.. and disable root logins in sshd_config. Note that you can already create this account and edit sudoers while still in the installer kernel. Simply `mnt/usr/sbin/chroot /mnt` and you are in your new system where you can change basic things (such as adding users and editing config files, do not expect to be able to do more fancy stuff like firewalling (so you can edit pf.conf, you just can not load it until after rebooting), you're still in the install kernel which lacks several key features provided by the regular kernel). root logins are also quite useful when /home is on NFS and NFS is broken somehow and you need to log in to fix stuff. Myself, I keep it enabled, even if I don't have /home on NFS and already have my less-privileged user for sudo access setup. Cheers, Paul 'WEiRD' de Weerd I do prefer to use the siteXX.tgz and the install.site script to do this, since it is the recommended way to customize the install process: http://www.openbsd.org/faq/faq4.html#site I remember other thread on this list about this. At some point someone asked Why not ask the installing user to create an unprivileged account during the install process?. The answer was simple and very coherent: Because we want the user to give root user a strong password. If we prompt for another user creation, it will tend to pick a weak password. I agreed with that and prefer having things like this. The portable ssh version also come with PermitRootLogin defaulted to yes. I don't see this as a security breach. Just pick a strong root password, create a user, edit sudoers, disable root login and you are done. My regards, -- Giancarlo Razzolini http://lock.razzolini.adm.br Linux User 172199 Red Hat Certified Engineer no:804006389722501 Verify:https://www.redhat.com/certification/rhce/current/ Moleque Sem Conteudo Numero #002 OpenBSD Stable Ubuntu 8.04 Hardy Herom 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
Re: sshd_config(5) PermitRootLogin yes
On Fri, 11 Jul 2008 07:16:38 +0100, Tomas Bodzar wrote: You can setup weak root password during install ;-) There is no test,so I can use root,password,admin and so on. Who gives a fluck? OpenBSD gives you all the tools, even if they are too sharp for dull blunts. If you don't like the defaults you have at least two options: 1 use something else. Is that more secure? Good for you. 2 figure out how to get what you want using the tools provided. It is possible to get your stated position. Now let this timewaster thread die its deserved death. Rod/ _ Depressed? Me? Don't make me laugh! :Spike Milligan:1918-2002:
Re: sshd_config(5) PermitRootLogin yes
Brian A. Seklecki wrote: On Thu, 10 Jul 2008, Jacob Yocom-Piatt wrote: maybe if people actually READ THE ARCHIVES, they'd be better informed. i wish this mailing list had I didn't want to rehash it all again. Everyone knows the issues. so put your own /etc/ssh/sshd_config into your siteXY.tgz install set and stop hard-selling this knob twist that would waste a lot of my and others' time. then your openbsd install can be as secure as you want with minimal effort. However, with respect to the right to disagree, if Marco's and Darrin's belief that if remote-network-postinstall configuration is the standing reason, then I consider myself in disagreement. Also, I think there is a false premise to the argument by Marco and Jacob that disabling remote root login by default does not provide real security, only a false illusion. That sounds like a slippery slope. We all know that security is a process. There is a security risk / attack vector here, however remote, without password quality and failed-login tarpid/delay mechanisms, a remote root password is subject to brute force. Plus, hypothetically, how strong is a temporary root password going to be? Its not going to be the one that you use in production, so likely you're going to recycle the same one after every install. - Yes qualified administrators filter sshd(8) w/ pf(4) - Yes qualified administrators choose strong passwords - Yes qualified administrators disable PermitRootLogin afterboot - Yes qualified administrators always use sudo(8) and never use root shells I propose, as a compromise, wrapping PermitRootLogin around a Match statement, limited to the default local subnet gleaned during the install network config (no LocalSubnets macro exists in sshd_config(5), afaik, but that would be best) Its just the right thing to do; and we should be leading by example. Either way, its a healthy discussion worth having. ~~BAS PermitStupidEmails No as the default. i really fail to see how this setting does anything other than make mgmt types worry because they don't really understand security.
Re: sshd_config(5) PermitRootLogin yes
My 4.3 installs defaulted to PermitRootLogin yes after install. -HKS On Thu, Jul 10, 2008 at 10:35 AM, Brian A. Seklecki [EMAIL PROTECTED] wrote: Am I reading this right? http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content-type=text/x-cvsweb-markup I dont have a fresh install anywhere -- but I want to say that it doesnt default to PermitRootLogin yes after the install. I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get this changed, but Redhat Support is giving some some noise about: Well the source vendor doesn't disable it by default ... ~BAS
Re: sshd_config(5) PermitRootLogin yes
On Thu, Jul 10, 2008 at 10:35:06AM -0400, Brian A. Seklecki wrote:
Am I reading this right?
Yes.
[...]
I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get
this changed, but Redhat Support is giving some some noise about:
Well the source vendor doesn't disable it by default ...
This has been discussed. Check the archives if you'd like.
--
o--{ Will Maier }--o
| web:...http://www.lfod.us/ | [EMAIL PROTECTED] |
*-[ BSD: Live Free or Die ]*
Re: sshd_config(5) PermitRootLogin yes
Brian A. Seklecki wrote: Am I reading this right? http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content-type=text/x-cvsweb-markup I dont have a fresh install anywhere -- but I want to say that it doesnt default to PermitRootLogin yes after the install. I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get this changed, but Redhat Support is giving some some noise about: Well the source vendor doesn't disable it by default ... ~BAS Hi Brian, The default is: PermitRootLogin yes As illustrated on below. HTH Fred bsd:fred /home/fred ssh [EMAIL PROTECTED] [EMAIL PROTECTED]'s password: Last login: Wed Mar 5 19:08:20 2008 OpenBSD 4.4-beta (GENERIC) #232: Wed Jul 2 12:31:55 MDT 2008 Welcome to OpenBSD: The proactively secure Unix-like operating system. Please use the sendbug(1) utility to report bugs in the system. Before reporting a bug, please try to reproduce it with the latest version of the code. With bug reports, please try to ensure that enough information to reproduce the problem is enclosed, and if a known fix for it exists, include that as well. Terminal type? [rxvt] # uname -a OpenBSD zaurus.crowsons.com 4.4 GENERIC#232 zaurus #
Re: sshd_config(5) PermitRootLogin yes
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian A. Seklecki Sent: Thursday, July 10, 2008 10:35 AM To: misc@openbsd.org Subject: sshd_config(5) PermitRootLogin yes Am I reading this right? http://www.openbsd.org/cgi- bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content- type=text/x-cvsweb-markup I dont have a fresh install anywhere -- but I want to say that it doesnt default to PermitRootLogin yes after the install. I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get this changed, but Redhat Support is giving some some noise about: Well the source vendor doesn't disable it by default ... ~BAS afterboot(8) covers this http://www.openbsd.org/cgi-bin/man.cgi?query=afterbootapropos=0sektion=0ma npath=OpenBSD+Currentarch=i386format=html
Re: sshd_config(5) PermitRootLogin yes
Of course it is enabled by default. Why do I want a box that is freshly installed and unreachable? On Thu, Jul 10, 2008 at 10:35:06AM -0400, Brian A. Seklecki wrote: Am I reading this right? http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content-type=text/x-cvsweb-markup I dont have a fresh install anywhere -- but I want to say that it doesnt default to PermitRootLogin yes after the install. I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get this changed, but Redhat Support is giving some some noise about: Well the source vendor doesn't disable it by default ... ~BAS
Re: sshd_config(5) PermitRootLogin yes
The keyword here is *default*. Say you installed OpenBSD on a soekris, it's nice having root enabled temporarily. That way you can login at a later time, create a lesser privledged account, edit the sudoers file.. and disable root logins in sshd_config. I believe the developers decision is the best one in this case, it's one of the first thing I disable though.
Re: sshd_config(5) PermitRootLogin yes
On Thu, Jul 10, 2008 at 01:21:20PM -0400, Brynet wrote: The keyword here is *default*. Say you installed OpenBSD on a soekris, it's nice having root enabled temporarily. That way you can login at a later time, create a lesser privledged account, edit the sudoers file.. and disable root logins in sshd_config. Note that you can already create this account and edit sudoers while still in the installer kernel. Simply `mnt/usr/sbin/chroot /mnt` and you are in your new system where you can change basic things (such as adding users and editing config files, do not expect to be able to do more fancy stuff like firewalling (so you can edit pf.conf, you just can not load it until after rebooting), you're still in the install kernel which lacks several key features provided by the regular kernel). root logins are also quite useful when /home is on NFS and NFS is broken somehow and you need to log in to fix stuff. Myself, I keep it enabled, even if I don't have /home on NFS and already have my less-privileged user for sudo access setup. Cheers, Paul 'WEiRD' de Weerd -- [++-]+++.+++[---].+++[+ +++-].++[-]+.--.[-] http://www.weirdnet.nl/
Re: sshd_config(5) PermitRootLogin yes
On Thu, Jul 10, 2008 at 07:40:47PM +0200, Paul de Weerd wrote: root logins are also quite useful when /home is on NFS and NFS is broken somehow and you need to log in to fix stuff. Myself, I keep it enabled, even if I don't have /home on NFS and already have my less-privileged user for sudo access setup. I usually leave it enabled, but with the 'without-password' setting so that keys must be used. -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
Re: sshd_config(5) PermitRootLogin yes
On Thu, 10 Jul 2008, Brynet wrote: The keyword here is *default*. Say you installed OpenBSD on a soekris, it's nice having root enabled temporarily. That way you can login at a later time, create a lesser privledged account, On Soekris, does the first boot console access not function properly until ttys(5) or boot.conf(5) are edited? Do you need to run headless, but with stored network configuration from the installer? ~BAS edit the sudoers file.. and disable root logins in sshd_config. I believe the developers decision is the best one in this case, it's one of the first thing I disable though.
Re: sshd_config(5) PermitRootLogin yes
afterboot(8) covers this Works for me, I guess. =/ ~BAS http://www.openbsd.org/cgi-bin/man.cgi?query=afterbootapropos=0sektion=0ma npath=OpenBSD+Currentarch=i386format=html
Re: sshd_config(5) PermitRootLogin yes
Paul de Weerd escreveu: On Thu, Jul 10, 2008 at 01:21:20PM -0400, Brynet wrote: The keyword here is *default*. Say you installed OpenBSD on a soekris, it's nice having root enabled temporarily. That way you can login at a later time, create a lesser privledged account, edit the sudoers file.. and disable root logins in sshd_config. Note that you can already create this account and edit sudoers while still in the installer kernel. Simply `mnt/usr/sbin/chroot /mnt` and you are in your new system where you can change basic things (such as adding users and editing config files, do not expect to be able to do more fancy stuff like firewalling (so you can edit pf.conf, you just can not load it until after rebooting), you're still in the install kernel which lacks several key features provided by the regular kernel). root logins are also quite useful when /home is on NFS and NFS is broken somehow and you need to log in to fix stuff. Myself, I keep it enabled, even if I don't have /home on NFS and already have my less-privileged user for sudo access setup. Cheers, Paul 'WEiRD' de Weerd I do prefer to use the siteXX.tgz and the install.site script to do this, since it is the recommended way to customize the install process: http://www.openbsd.org/faq/faq4.html#site I remember other thread on this list about this. At some point someone asked Why not ask the installing user to create an unprivileged account during the install process?. The answer was simple and very coherent: Because we want the user to give root user a strong password. If we prompt for another user creation, it will tend to pick a weak password. I agreed with that and prefer having things like this. The portable ssh version also come with PermitRootLogin defaulted to yes. I don't see this as a security breach. Just pick a strong root password, create a user, edit sudoers, disable root login and you are done. My regards, -- Giancarlo Razzolini http://lock.razzolini.adm.br Linux User 172199 Red Hat Certified Engineer no:804006389722501 Verify:https://www.redhat.com/certification/rhce/current/ Moleque Sem Conteudo Numero #002 OpenBSD Stable Ubuntu 8.04 Hardy Herom 4386 2A6F FFD4 4D5F 5842 6EA0 7ABE BBAB 9C0E 6B85
Re: sshd_config(5) PermitRootLogin yes
On Thu, 10 Jul 2008, Marco Peereboom wrote: Of course it is enabled by default. Why do I want a box that is freshly installed and unreachable? No -- I just find that most of afterboot(8) can be done from the console; even serial console, at first boot, configure the network, add a non-root user, add them to wheel, enable sshd. I guess I'm just having trouble imagining the situation where you have console access, but need to do basic post-install configuration via the network, as root, remotely. Even with CF/Embedded, you ship out master.passwd prepopualted. And this is likely the rationel why the rest of the projects changed it. ~~BAS On Thu, Jul 10, 2008 at 10:35:06AM -0400, Brian A. Seklecki wrote: Am I reading this right? http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content-type=text/x-cvsweb-markup I dont have a fresh install anywhere -- but I want to say that it doesnt default to PermitRootLogin yes after the install. I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get this changed, but Redhat Support is giving some some noise about: Well the source vendor doesn't disable it by default ... ~BAS
Re: sshd_config(5) PermitRootLogin yes
On Thu, Jul 10, 2008 at 01:38:22PM -0400, Brian A. Seklecki wrote: I guess I'm just having trouble imagining the situation where you have console access, but need to do basic post-install configuration via the network, as root, remotely. This is how I normally do it. I don't like to stand at a crash cart kvm when I can sit at my desk. ;-) If you have a good root password then it's not much of an issue anyway. -- Darrin Chandler| Phoenix BSD User Group | MetaBUG [EMAIL PROTECTED] | http://phxbug.org/ | http://metabug.org/ http://www.stilyagin.com/ | Daemons in the Desert | Global BUG Federation
Re: sshd_config(5) PermitRootLogin yes
And they got it all wrong. It is all for the perceived sense of security. Not being able to login over ssh right after install sucks. I am that guy that ends up enabling it on all other boxes that use a different default. The machine I install and then deploy to be hostile network connected gets some extra love in that department however crippling every box by default for no gain is counter productive. On Thu, Jul 10, 2008 at 01:38:22PM -0400, Brian A. Seklecki wrote: On Thu, 10 Jul 2008, Marco Peereboom wrote: Of course it is enabled by default. Why do I want a box that is freshly installed and unreachable? No -- I just find that most of afterboot(8) can be done from the console; even serial console, at first boot, configure the network, add a non-root user, add them to wheel, enable sshd. I guess I'm just having trouble imagining the situation where you have console access, but need to do basic post-install configuration via the network, as root, remotely. Even with CF/Embedded, you ship out master.passwd prepopualted. And this is likely the rationel why the rest of the projects changed it. ~~BAS On Thu, Jul 10, 2008 at 10:35:06AM -0400, Brian A. Seklecki wrote: Am I reading this right? http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content-type=text/x-cvsweb-markup I dont have a fresh install anywhere -- but I want to say that it doesnt default to PermitRootLogin yes after the install. I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get this changed, but Redhat Support is giving some some noise about: Well the source vendor doesn't disable it by default ... ~BAS
Re: sshd_config(5) PermitRootLogin yes
Marco Peereboom wrote: And they got it all wrong. It is all for the perceived sense of security. Not being able to login over ssh right after install sucks. I am that guy that ends up enabling it on all other boxes that use a different default. The machine I install and then deploy to be hostile network connected gets some extra love in that department however crippling every box by default for no gain is counter productive. maybe if people actually READ THE ARCHIVES, they'd be better informed. i wish this mailing list had PermitStupidEmails No as the default. i really fail to see how this setting does anything other than make mgmt types worry because they don't really understand security. On Thu, Jul 10, 2008 at 01:38:22PM -0400, Brian A. Seklecki wrote: On Thu, 10 Jul 2008, Marco Peereboom wrote: Of course it is enabled by default. Why do I want a box that is freshly installed and unreachable? No -- I just find that most of afterboot(8) can be done from the console; even serial console, at first boot, configure the network, add a non-root user, add them to wheel, enable sshd. I guess I'm just having trouble imagining the situation where you have console access, but need to do basic post-install configuration via the network, as root, remotely. Even with CF/Embedded, you ship out master.passwd prepopualted. And this is likely the rationel why the rest of the projects changed it. ~~BAS On Thu, Jul 10, 2008 at 10:35:06AM -0400, Brian A. Seklecki wrote: Am I reading this right? http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content-type=text/x-cvsweb-markup I dont have a fresh install anywhere -- but I want to say that it doesnt default to PermitRootLogin yes after the install. I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get this changed, but Redhat Support is giving some some noise about: Well the source vendor doesn't disable it by default ... ~BAS
Re: sshd_config(5) PermitRootLogin yes
Dude, Why do you let them tell you because the source blah blah? Isn't that why you pay them lots of $$? On 7/10/08, Brian A. Seklecki [EMAIL PROTECTED] wrote: Am I reading this right? http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content-type=text/x-cvsweb-markup I dont have a fresh install anywhere -- but I want to say that it doesnt default to PermitRootLogin yes after the install. I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get this changed, but Redhat Support is giving some some noise about: Well the source vendor doesn't disable it by default ... ~BAS -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk This officer's men seem to follow him merely out of idle curiosity. -- Sandhurst officer cadet evaluation. Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted. -- Gene Spafford learn french: http://www.youtube.com/watch?v=j1G-3laJJP0feature=related
Re: sshd_config(5) PermitRootLogin yes
On Thu, 10 Jul 2008, Jacob Yocom-Piatt wrote: maybe if people actually READ THE ARCHIVES, they'd be better informed. i wish this mailing list had I didn't want to rehash it all again. Everyone knows the issues. However, with respect to the right to disagree, if Marco's and Darrin's belief that if remote-network-postinstall configuration is the standing reason, then I consider myself in disagreement. Also, I think there is a false premise to the argument by Marco and Jacob that disabling remote root login by default does not provide real security, only a false illusion. That sounds like a slippery slope. We all know that security is a process. There is a security risk / attack vector here, however remote, without password quality and failed-login tarpid/delay mechanisms, a remote root password is subject to brute force. Plus, hypothetically, how strong is a temporary root password going to be? Its not going to be the one that you use in production, so likely you're going to recycle the same one after every install. - Yes qualified administrators filter sshd(8) w/ pf(4) - Yes qualified administrators choose strong passwords - Yes qualified administrators disable PermitRootLogin afterboot - Yes qualified administrators always use sudo(8) and never use root shells I propose, as a compromise, wrapping PermitRootLogin around a Match statement, limited to the default local subnet gleaned during the install network config (no LocalSubnets macro exists in sshd_config(5), afaik, but that would be best) Its just the right thing to do; and we should be leading by example. Either way, its a healthy discussion worth having. ~~BAS PermitStupidEmails No as the default. i really fail to see how this setting does anything other than make mgmt types worry because they don't really understand security. On Thu, Jul 10, 2008 at 01:38:22PM -0400, Brian A. Seklecki wrote: On Thu, 10 Jul 2008, Marco Peereboom wrote: Of course it is enabled by default. Why do I want a box that is freshly installed and unreachable? No -- I just find that most of afterboot(8) can be done from the console; even serial console, at first boot, configure the network, add a non-root user, add them to wheel, enable sshd. I guess I'm just having trouble imagining the situation where you have console access, but need to do basic post-install configuration via the network, as root, remotely. Even with CF/Embedded, you ship out master.passwd prepopualted. And this is likely the rationel why the rest of the projects changed it. ~~BAS On Thu, Jul 10, 2008 at 10:35:06AM -0400, Brian A. Seklecki wrote: Am I reading this right? http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content-type=text/x-cvsweb-markup I dont have a fresh install anywhere -- but I want to say that it doesnt default to PermitRootLogin yes after the install. I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get this changed, but Redhat Support is giving some some noise about: Well the source vendor doesn't disable it by default ... ~BAS l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ Guilty? Yeah. But he knows it. I mean, you're guilty. You just don't know it. So who's really in jail? ~Maynard James Keenan
Re: sshd_config(5) PermitRootLogin yes
On Jul 10, 2008, at 9:19 PM, Brian A. Seklecki [EMAIL PROTECTED] wrote: On Thu, 10 Jul 2008, Jacob Yocom-Piatt wrote: maybe if people actually READ THE ARCHIVES, they'd be better informed. i wish this mailing list There is a security risk / attack vector here, however remote, without password quality and failed-login tarpid/delay mechanisms, a remote root password is subject to brute force. Plus, hypothetically, how strong is a temporary root password going to be? Its not going to be the one that you use in production, so likely you're going to recycle the same one after every install. Don't be stupid. Problem solved. - Yes qualified administrators filter sshd(8) w/ pf(4) - Yes qualified administrators choose strong passwords - Yes qualified administrators disable PermitRootLogin afterboot - Yes qualified administrators always use sudo(8) and never use root shells I propose, as a compromise, wrapping PermitRootLogin around a Match statement, limited to the default local subnet gleaned during the install network config (no LocalSubnets macro exists in sshd_config (5), afaik, but that would be best) Its just the right thing to do; and we should be leading by example. Either way, its a healthy discussion worth having. ~~BAS PermitStupidEmails No as the default. i really fail to see how this setting does anything other than make mgmt types worry because they don't really understand security. On Thu, Jul 10, 2008 at 01:38:22PM -0400, Brian A. Seklecki wrote: On Thu, 10 Jul 2008, Marco Peereboom wrote: Of course it is enabled by default. Why do I want a box that is freshly installed and unreachable? No -- I just find that most of afterboot(8) can be done from the console; even serial console, at first boot, configure the network, add a non-root user, add them to wheel, enable sshd. I guess I'm just having trouble imagining the situation where you have console access, but need to do basic post-install configuration via the network, as root, remotely. Even with CF/Embedded, you ship out master.passwd prepopualted. And this is likely the rationel why the rest of the projects changed it. ~~BAS On Thu, Jul 10, 2008 at 10:35:06AM -0400, Brian A. Seklecki wrote: Am I reading this right? http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config?rev=1.80content-type=text/x-cvsweb-markup I dont have a fresh install anywhere -- but I want to say that it doesnt default to PermitRootLogin yes after the install. I remember that I filed PRs with FreeBSD/NetBSD a few years ago to get this changed, but Redhat Support is giving some some noise about: Well the source vendor doesn't disable it by default ... ~BAS l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ Guilty? Yeah. But he knows it. I mean, you're guilty. You just don't know it. So who's really in jail? ~Maynard James Keenan
Re: sshd_config(5) PermitRootLogin yes
On Fri, Jul 11, 2008 at 12:19:27AM -0400, Brian A. Seklecki wrote: On Thu, 10 Jul 2008, Jacob Yocom-Piatt wrote: maybe if people actually READ THE ARCHIVES, they'd be better informed. i wish this mailing list had I didn't want to rehash it all again. Everyone knows the issues. However, with respect to the right to disagree, if Marco's and Darrin's belief that if remote-network-postinstall configuration is the standing reason, then I consider myself in disagreement. ... Either way, its a healthy discussion worth having. I believe you may be overlooking the fact that while we might have a healthy discussion on this subject and decide what the default will be for BASBSD, the people who make the decisions for OpenBSD have already decided. We don't get to vote on that. We may decide how to handle our own installations, but unless you've read through the archives and found an argument that has not been considered, it is best to leave it at that.
