On Mon, 2002-05-20 at 15:37, Jamin W.Collins wrote: > On Mon, 20 May 2002 20:26:11 +0100 > "Colin Watson" <[EMAIL PROTECTED]> wrote: > > > Like the document says, regularly su'ing to root from an account makes > > compromising that account essentially equivalent to compromising root > > anyway. I don't see a problem with the default configuration, and nor do > > OpenSSH upstream. > > Good security is layered. Because a normal account could be compromised > and su'ing to root accomplished doesn't mean that it should be made easier > for a cracker by allowing direct root logins. Additionally, the default > Debian ssh config allows for password authentication. This is definitely > a bad idea. > > The defaults for most other settings show a desire to make the > installation more secure. It really doesn't make sense (at least not to > me) to tighten up other defaults but just leave the key in the lock on > these two.
While I can see both sides of this argument, it seems to me that anyone who is knowledgeable enough to understand and accept the dangers of allowing root to ssh is knowledgeable enough to change the default. However, a great many people don't know enough to understand the dangers and probably wouldn't know how to go about changing the default if they don't need that capability. I gotta agree with you here; always err on the side of security. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
