Hi all,
In April, sshd(8)'s PermitRootLogin option's default setting has been
changed to 'no'[0], then to 'without-password'[1], which in turn got
renamed to 'prohibit-password'[2].
At the same time as the latter, the installer's default suggested answer
has been changed to 'no'[3]:
"Allow root ssh login? (yes, no, prohibit-password)" no
I test snapshots on a number of physical and virtual machines on regular
basis. Recently I upgraded storage on one of the former - got an SSD
and ran a clean install. I like the installer's defaults so happily
accepted those when prompted, then after a couple of hours I upgraded to
the newest snapshot. As I like to know what changes between snapshots,
I always run sysmerge(8) with '-d' option, amongst other things.
Upon upgrading to the next snapshot and running sysmerge, I had been
presented with this diff:
-PermitRootLogin no
+#PermitRootLogin prohibit-password
>From clean install using defaults to a new snapshot within a couple of
hours and straight away I was informed that my settings deviate from the
software defaults, even though I hadn't changed a thing after install
- had I done so, information like that would have been expected. Worth
mentioning is the fact that the above was the *only* message I got from
sysmerge. Unless I had made post-install changes to config files on my
system, I would have expected sysmerge not to produce *any* output.
This email is not as much about PermitRootLogin option in sshd_config or
which setting is "better" as the default, as it is about the installer
vs software defaults, in other words "consistency" - PermitRootLogin
simply happens to be the *only* inconsistency.
Finally, a couple of questions:
1. Shouldn't the installer's suggested default answers reflect the
defaults on the system, and if not, why?
2. Shouldn't PermitRootLogin default settings be synchronised as per the
above, and if not, why?
Regards,
Raf
[0]
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config.diff?r1=1.94&r2=1.95&f=h
[1]
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config.diff?r1=1.95&r2=1.96&f=h
[2]
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/sshd_config.diff?r1=1.96&r2=1.97&f=h
[3]
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/distrib/miniroot/install.sub.diff?r1=1.853&r2=1.854&f=h
