Package: openssh-server Version: 1:4.3p2-9 Severity: important
-- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-3-amd64 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Password strength is important on public facing servers with sshd. It may not be apparent that users, other than the intended ssh user, can make the system vulnerable with their weak passwords. Bot attacks are using whois information and email addresses to guess probably user names to do brute force attacks. Enabling all users by default is a very bad idea. The trade-off is the extra hassel to comment out an AllowUsers line for installations that want all users to be able to use ssh. At the very least there should be a commented out AllowUsers line in sshd_config - but that is really not good enough. I strongly urge that all user logins facing the network should be disabled-by-default. I couldn't find such disabled-by-default philosophy listed in Debian policy, but it should be. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]