-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Jul 12, 2016 at 03:45:06PM +0300, Reco wrote: > On Tue, Jul 12, 2016 at 02:20:38PM +0200, to...@tuxteam.de wrote: > > I still think the OP has a point. [...]
> I can think of several 'solutions for the problem', but most of them are > either unrealistic or redundant: > > 1) Change Debian Policy which mandates starting a daemon on package > install. I think this is the wrong alley: Making this a problem of "all daemons" renders the problem practically intractable. While it makes sense to keep a more general solution in sight, sshd is in many respects special. > 2) Add 'AllowGroups ssh' to the stock sshd_config. > > 3) Add a debconf template to openssh-server package which allows to > choose local users for 'AllowUsers' stanza of sshd_config. > > 4) Block all incoming connections to tcp port 22 by default. And how about changing the default to "PasswordAuthentication no"? regards - -- t -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAleE6MEACgkQBcgs9XrR2kbj1wCfZ4b+s3JyR/LdySApPMKQsAxU UZwAnR1vcj9CdMAf0RQG0A1iBaiRPFd+ =q1// -----END PGP SIGNATURE-----
