On Tue, Jul 12, 2016 at 02:20:38PM +0200, to...@tuxteam.de wrote: > On Tue, Jul 12, 2016 at 03:05:35PM +0300, Reco wrote: > > Hi. > > > > On Tue, Jul 12, 2016 at 11:26:10AM +0200, mwnx wrote: > > > Currently, after installing openssh-server, anyone can gain access > > > to any user's account on the system using only the corresponding > > > user's password. As we know, people do not necessarily use the most > > > secure of passwords. This will especially be the case if the user > > > does not expect his computer to be accessible in any way from the > > > outside. > > > > So, you're blaming a perfectly good (and reasonably secure) way of > > remote access, but somehow assume that weak passwords are ok. > > By that logic you should not stop there. Why not blame any remote access > > mechanism that uses PAM for password checking as well? > > I still think the OP has a point. I don't know how a solution might look > which makes sense (a default config with password disabled seems a bit > strong, TBH), but IMHO it's worth thinking about the problem instead > of dismissing it off-hand.
The easiest thing to do is to change the default config: create a group, sshlogin Add root and UID 1000 (the user created at install time) to that group. add this line to /etc/ssh/sshd_config: AllowGroup sshlogin from man sshd_config: If specified, login is allowed only for users whose primary group or supplementary group list matches one of the patterns. Only group names are valid; a numerical group ID is not recognized. By default, login is allowed for all groups. The allow/deny directives are processed in the following order: DenyUsers, AllowUsers, DenyGroups, and finally AllowGroups. and finally, update the documentation to reflect this. The downside is that this is a major change in behavior; the upside is that it is consistent with other things that Debian does. -dsr-