Re: able to login as root via ssh :-(

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Scot L. Harris wrote:

On Mon, 2006-08-07 at 22:33 -0400, Todd Zullinger wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Don Russell wrote:

Why?  Just curious what made you believe it was disabled by default.

Well.... just ignorance on my part.... but ftp doesn't allow me log
in as root, and I don't recall changing that setting. Call it "I
expected any form of remote access to be consistent in denying root
access". Of course they are different programs (ftp server/ssh
server)... and I always see messages that say "... ssh in, then su -
to root...." sort of implies that ssh to root directly won't work.
But again, abad assumption on my part. :-(

It's not unreasonable to assume the default would be to disable it.
I'm sure there have been debates on what the right default should be
among the openssh developers.  I didn't mean to pick on you by asking.
;-)


If I recall correctly from a discussion about this a long time ago, ssh
has root access enabled by default for those cases where the admin is
trying to install a system remotely.


[snip]
That seems like a bit of a strawman argument to me.... but I'll concede that I don't know everything. :-)
In order for a remote system to be in a state that remote access is even possible, there must be an OS already running. In order to install the first OS, physical access to the box must be required. It has to be physically connected etc. At the very least the power has to be turned on.. it might then proceed to do a network install... 

At that first install time is when a second user id should be created....
Anyway... I don't want to get into a big discussion over something that has already been settled.... Might be nice to have a new option in sshd_config though: "PermitRootLoginWarn yes", then in my Logwatch reports I'll see something like "Warning: root login is permitted via ssh - see /etc/ssh/sshd_config"
If the sysadmin really wants that, they can turn the warning off, and sysadmins that don't want that can disallow root login.
Bugzilla/suggestion? I'll happily create a bugzilla report for that, or am I a little over-the-top? :-)
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux