On 01/28/2014 03:57 AM, Brian wrote: > On Mon 27 Jan 2014 at 20:24:42 -0800, Jon Danniken wrote: > >> I recently came across a posting by an individual who got his >> Debian machine compromised due to a number of security problems, one of >> which was the default installation and running of sshd with >> "PermitRootLogin = >> Yes". in /etc/ssh/sshd_config. > > These types of posts are not unusual; what they all generally have in > common is a lack of detail and any evidence that "PermitRootLogin = Yes" > in itself is the cause. Having introduced a FUD factor it is now easier > to promote alternatives without having to justify them. > >> So I checked the Debian installation that I put on my laptop a month ago >> (from the Wheezy net install CD), and sure enough I had the same >> vulnerability > > "PermitRootLogin = Yes" is upstream's (and Debian's) default setting; it > is not an insecure one. You could introduce an insecurity by using > "password1" as the root password. > >> (I fixed it by changing the "PermitRootLogin" value). > > If you have a strong password for the root login you wouldn't have fixed > anything.
Thanks Brian, I ended up removing openssh-server, as it was not something I needed; it was automatically installed and set up to run as a "feature" of the live CD I used to install Debian with (installed as part of the "live-tools" package). Fortunately I came across the posting that alerted me to this, and have removed it from both of my machines. If I end up using openssh in the future I will definitely use a private key, though. Jon -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/52e80794.9000...@q.com
