please deactivate services by default!

Chris Adams cmadams at hiwaay.net
Thu Sep 25 18:09:36 UTC 2008


Once upon a time, Matthew Woehlke <mw_triad at users.sourceforge.net> said:
> Chris Adams wrote:
> >- block root logins
> 
> This seems to be the default on some UNIX's (or, at least, it's true for 
> some of the machines I work with, though it's possible that IT set it 
> up). I'm indifferent; I might re-enable it (though, since I can su also, 
> I might not), but I don't mind making this default.

I always thought it was odd that some things (e.g. telnet) block root
logins but others (e.g. ssh) don't.  I can telnet in and then su and the
password is just as much in the clear as it would have been with
straight root-login-telnet.  Either all should allow or all should block
(I personally block), except for directly attached consoles (so root can
get in when all else is broken).

Maybe sshd could be configured as "PermitRootLogin without-password",
which would require someone to configure keys (but not reconfigure sshd)
before root ssh could be used.

> >- block logins to accounts with no password
> 
> This is different from passphrase-less keys, right? If so I'd definitely 
> vote for this. It doesn't need to be exclusive with disabling root 
> login, though.

Yes.  I'm pretty sure there is a difference between "account with no
password" and "account with empty-string password", and the sshd option
"PermitEmptyPasswords" (which defaults to no) works as you describe.

-- 
Chris Adams <cmadams at hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.




More information about the fedora-devel-list mailing list