...and brute forcing has become a more acute problem in light of the recent OpenSSL vulnerability. Exploitation of weak SSH keys is made much easier if the attacker knows a valid username on the target system; by permitting root login, you are making an attacker's job much easier.
(Though [EMAIL PROTECTED] seems to argue in favour of permitting root login, he fails to make an argument - at least in README.Debian.gz - as to why it is a good idea. I hope the recent SSL key brute force proof- of-concepts serve to change his mind.) In most cases the same can be achieved through the use of a non-root user account and sudo - so IMHO rkhunter is right to warn about this, irrespective of Debian/Ubuntu defaults. -- incorrectly warns about ssh settings https://bugs.launchpad.net/bugs/43124 You received this bug notification because you are a member of Ubuntu Bugs, which is a direct subscriber. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
