SSHd

Kostas Georgiou k.georgiou at imperial.ac.uk
Sun Aug 20 11:38:43 UTC 2006


On Sun, Aug 20, 2006 at 12:54:30PM +0200, Christian Rose wrote:

> On 8/19/06, Arthur Pemberton <pemboa at gmail.com> wrote:
> >Why does FC ship openssh with sshd allowing root logins? And are there
> >any plans to preempt the now routine sshd weak password hunting bots?
> 
> IIRC, the idea was that you should not end up with being locked out of
> a remote system if that system's /home NFS mount was somehow screwed
> up. With allowing root to log in, you could still fix a remote system
> using NFS-mounted home directories.

Not to mention that kerberos/ldap/nis/whatever might be down so user
logins might not be available. 

In any case wouldn't it better to start using pam_access by default in
system_auth and block root logins if you want there? I don't see why sshd
should be treated differently than other tools in the system. 
Anaconda, authconfig can ask questions at install time like:
 Allow root logins: [X] Local, [] Everywhere, [] By domain ..., etc.
 Allow user logins: [] Local, [X] Everywhere, [] By domain ..., etc.
and setup an access.conf file.

Kostas 




More information about the fedora-devel-list mailing list