Colin Watson <cjwat...@debian.org> writes: > On Mon, Apr 06, 2009 at 11:37:47AM +0300, Jari Aalto wrote: >> - PermitRootLogin cha¨nge: from 'yes' to 'no' > > No. See README.Debian.
This wasn't obvious. Please add at least a comment to the default conffile for people to consult /usr/share/doc/openssh-server/README.Debian.gz why it's on in by default Considering README.Debian: ...If you set it to no, then they must compromise a normal user account. In the vast majority of cases, this does not give added security; remember that any account you su to root from is equivalent to root - compromising this account gives an attacker access to root easily. The reasoning doesn' look sound. It would apperar that two-layer security is better than one, because one would need to: 1) Find a user name. Not a obvious task in small sites. 2) crack user login 3) crack the root passwd from within site; not straight forwards, CPU limits ... watchdogs. Instead of hammering root-login directly with botnet attacks. >> - Add paragraph breaks between option groups > > Sounds like an excellent way to generate conffile resolution conflicts > for anyone who's modified this file. Not worth it. If there are already custom modifications, the upgrade suggests a conflict resolution anyway, no? Jari -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org