On Wed, Oct 27, 2010 at 05:22:26PM -0400, Brad Tilley wrote: > I felt the same way. I understand that I removed authentication by > accidentally commenting out that line, but I thought that would cause > authentication to fail. Obviously, authentication is not succeeding, > it's just that authentication is not happening at all and you can type > anything and get a shell on the remote system (provided you know a user > name). In short, that behavior surprised me.
I disagree: if authentication was removed from a system (regardless of whether by accident or not), I would expect the result to be a system with no authentication. Not a system in which authentication had become impossible. Perhaps a comment above the line, warning that removing that line removes the requirement of authentication? Regards, Mark. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20101027220013.go13...@markv.18londonst.co.nz