please deactivate services by default!
Matthew Woehlke
mw_triad at users.sourceforge.net
Thu Sep 25 20:33:41 UTC 2008
Chris Adams wrote:
> Once upon a time, Matthew Woehlke <mw_triad at arg.xxx.yyy> said:
(please read my .sig, thanks!)
> I always thought it was odd that some things (e.g. telnet) block root
> logins but others (e.g. ssh) don't. I can telnet in and then su and the
> password is just as much in the clear as it would have been with
> straight root-login-telnet. Either all should allow or all should block
> (I personally block), except for directly attached consoles (so root can
> get in when all else is broken).
True, but then, IMO telnet should just be disabled, period :-).
> Maybe sshd could be configured as "PermitRootLogin without-password",
> which would require someone to configure keys (but not reconfigure sshd)
> before root ssh could be used.
What's wrong with simply blocking root login unless root has a password?
(Or does this allow login with keys *or* a real password, which would be
fine?)
>>> - block logins to accounts with no password
>> This is different from passphrase-less keys, right? If so I'd definitely
>> vote for this. It doesn't need to be exclusive with disabling root
>> login, though.
>
> Yes. I'm pretty sure there is a difference between "account with no
> password" and "account with empty-string password", and the sshd option
> "PermitEmptyPasswords" (which defaults to no) works as you describe.
Ok. Eh, so I'm confused, an account with "no" password just cannot be
logged into at all, I thought? (Except via methods that wouldn't use
password authentication, e.g. key-based authentication as mentioned
above, 'su' as root...) I wouldn't expect an ssh setting for that, I'd
expect it to simply be denied :-).
--
Matthew
Please do not quote my e-mail address unobfuscated in message bodies.
--
"You know what Microsoft's problem really is? They've lost the ability
to feel ashamed." -- Pamela Jones (Groklaw)
More information about the fedora-devel-list
mailing list