Scot L. Harris wrote:
On Mon, 2006-08-07 at 22:33 -0400, Todd Zullinger wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Don Russell wrote:
Why? Just curious what made you believe it was disabled by default.
Well.... just ignorance on my part.... but ftp doesn't allow me log
in as root, and I don't recall changing that setting. Call it "I
expected any form of remote access to be consistent in denying root
access". Of course they are different programs (ftp server/ssh
server)... and I always see messages that say "... ssh in, then su -
to root...." sort of implies that ssh to root directly won't work.
But again, abad assumption on my part. :-(
It's not unreasonable to assume the default would be to disable it.
I'm sure there have been debates on what the right default should be
among the openssh developers. I didn't mean to pick on you by asking.
;-)
If I recall correctly from a discussion about this a long time ago, ssh
has root access enabled by default for those cases where the admin is
trying to install a system remotely.
[snip]
That seems like a bit of a strawman argument to me.... but I'll concede
that I don't know everything. :-)
In order for a remote system to be in a state that remote access is even
possible, there must be an OS already running.
In order to install the first OS, physical access to the box must be
required. It has to be physically connected etc. At the very least the
power has to be turned on.. it might then proceed to do a network
install...
At that first install time is when a second user id should be created....
Anyway... I don't want to get into a big discussion over something that
has already been settled.... Might be nice to have a new option in
sshd_config though: "PermitRootLoginWarn yes", then in my Logwatch
reports I'll see something like "Warning: root login is permitted via
ssh - see /etc/ssh/sshd_config"
If the sysadmin really wants that, they can turn the warning off, and
sysadmins that don't want that can disallow root login.
Bugzilla/suggestion? I'll happily create a bugzilla report for that, or
am I a little over-the-top? :-)