Hi again!
I have a question on the default behaviour of OpenSSH. Please, do not
understand that I am complaining on it or trying to change its behaviour
in relation with remote root logins allowed by default on OpenSSH (but
I certainly believe it would be nice, that is the reason I write this
message to the misc@ mailing list). Just want to share my opinion with
the members of this mailing list.
First of all, I understand that remote root logins can be easily
avoided by setting "PermitRootLogin" to "no" in /etc/ssh/sshd_config.
I guess that remote root logins are allowed by default to simplify
management of small network appliances that do not have user accounts
on them. But these appliances are only a small number of all OpenBSD
installations and, even if this number is not so small, a restricted
(non-root) account in the group wheel and probably in the group operator
too, on these devices is advisable to avoid damaging these appliances
by mistake.
In my humble opinion, there are three reasons to deny remote root logins
by default:
1. Remote root login enabled by default makes the wheel group
superfluous (i.e., why are used added to the wheel group when
a user not in this group can log in as root, once the root
password is known to him, by just typing "ssh [EMAIL PROTECTED]"?)
2. There are a lot of threats against the root account based in
brute force attacks. Most of us see logs on this matter in our
workstations and servers. Sometimes these threats, done by
humans, network scanners or even worms, are successful. It is
just a matter of (bad) luck.
3. OpenBSD is "secure by default"; all services should be configured
to the most secure defaults. I think that this reason is as good
as the previous ones. And not allowing remote root logins by
default makes sense to me in relation with this goal.
Someone that really wants to allow remote root logins should be able to
enable this feature just changing /etc/ssh/sshd_config. But, in my
humble opinion, most users do not really want this dangerous feature
enabled by default. And, even on small network appliances, an unprivileged
account in the wheel group (and even in the operator group) is a good
management practice.
[please, send copies of replies to this post to me if possible. I will
do my best to answer any post, even if not sent to me, but it will be
more difficult tracking who sent the message I am replying to.]
Cheers,
Igor.
