On Mon, 2006-08-07 at 22:33 -0400, Todd Zullinger wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Don Russell wrote: > >>Why? Just curious what made you believe it was disabled by default. > >> > > > > Well.... just ignorance on my part.... but ftp doesn't allow me log > > in as root, and I don't recall changing that setting. Call it "I > > expected any form of remote access to be consistent in denying root > > access". Of course they are different programs (ftp server/ssh > > server)... and I always see messages that say "... ssh in, then su - > > to root...." sort of implies that ssh to root directly won't work. > > But again, abad assumption on my part. :-( > > It's not unreasonable to assume the default would be to disable it. > I'm sure there have been debates on what the right default should be > among the openssh developers. I didn't mean to pick on you by asking. > ;-) If I recall correctly from a discussion about this a long time ago, ssh has root access enabled by default for those cases where the admin is trying to install a system remotely. They would need a secure way to log into the system as root in order to create user accounts. After that it is up to the admin to secure ssh by disabling root access, setting up keys, and restricting which accounts can access ssh to start with as well as possibly changing the port ssh listens on. This may have changed in recent install methods, but I believe that was the argument provided awhile back for having root access enabled initially.
