-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Jul 12, 2016 at 08:34:33AM -0400, Dan Ritter wrote:
[...] > The easiest thing to do is to change the default config: > > create a group, sshlogin > > Add root and UID 1000 (the user created at install time) to that > group. > > add this line to /etc/ssh/sshd_config: > AllowGroup sshlogin > > from man sshd_config: > > If specified, login is allowed only for users whose primary group or > supplementary group list matches one of the patterns. Only group names > are valid; a numerical group ID is not recognized. By default, login > is allowed for all groups. The allow/deny directives are processed > in the following order: DenyUsers, AllowUsers, DenyGroups, and finally > AllowGroups. > > and finally, update the documentation to reflect this. > > The downside is that this is a major change in behavior; the > upside is that it is consistent with other things that Debian > does. Hmmm. This would still allow password auth for user 1000 (and root (!)). I think OP's concern was exactly that. My question would be... what would be the consequences of changing those defaults? Or perhaps, of asking the user at package config time? regards - -- t -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAleE558ACgkQBcgs9XrR2kYmrgCfbtv1IoZWgTrLtpNl44JqEeK8 uGgAmQGuKQ/6CxeCqJbNxES4aG1e/dV4 =CqQn -----END PGP SIGNATURE-----
