On Thu, 23 Nov 2006, Darrin Chandler wrote:
> No. It would be simple enough to disable everything, but that wouldn't
> be functional. OpenBSD has an excellent track record for security, yet
> many useful things are enabled by default. Do you *really* believe that
> nobody has thought about turning off root ssh in the default configs? Of
> course they have. Yet it remains enabled. Selecting a secure password
> for root is YOUR responsibility.
You know, I seem to recall that many versions ago (maybe even as far
back as 2.xx) root login on ssh *was* disallowed by default.
I recall being bitten by it, too, on "remote" (other-side-of-the-room)
installations on headless machines.
At worst you have a small window during installation in which root
logins are allowed, before you shut them off by chroot'ing as Paul
outlined in his post.
btw, that chroot to /mnt may not be obvious to some, and a little
advisory (or even a menu choice) at the end of the install script
might be a good use of a 100 bytes or so.
Halt now (H), Chroot to installed system (C) or shell (S)? [S]
Dave
--
"Confound these wretched rodents! For every one I fling away,
a dozen more vex me!" -- Doctor Doom
