please deactivate services by default!

[Matthew Woehlke]

Chris Adams wrote:
> Once upon a time, Matthew Woehlke <mw_triad at arg.xxx.yyy> said:
(please read my .sig, thanks!)

> I always thought it was odd that some things (e.g. telnet) block root
> logins but others (e.g. ssh) don't.  I can telnet in and then su and the
> password is just as much in the clear as it would have been with
> straight root-login-telnet.  Either all should allow or all should block
> (I personally block), except for directly attached consoles (so root can
> get in when all else is broken).

True, but then, IMO telnet should just be disabled, period :-).

> Maybe sshd could be configured as "PermitRootLogin without-password",
> which would require someone to configure keys (but not reconfigure sshd)
> before root ssh could be used.

What's wrong with simply blocking root login unless root has a password? 
(Or does this allow login with keys *or* a real password, which would be 
fine?)

>>> - block logins to accounts with no password
>> This is different from passphrase-less keys, right? If so I'd definitely 
>> vote for this. It doesn't need to be exclusive with disabling root 
>> login, though.
> 
> Yes.  I'm pretty sure there is a difference between "account with no
> password" and "account with empty-string password", and the sshd option
> "PermitEmptyPasswords" (which defaults to no) works as you describe.

Ok. Eh, so I'm confused, an account with "no" password just cannot be 
logged into at all, I thought? (Except via methods that wouldn't use 
password authentication, e.g. key-based authentication as mentioned 
above, 'su' as root...) I wouldn't expect an ssh setting for that, I'd 
expect it to simply be denied :-).

-- 
Matthew
Please do not quote my e-mail address unobfuscated in message bodies.
-- 
"You know what Microsoft's problem really is? They've lost the ability 
to feel ashamed." -- Pamela Jones (Groklaw)