touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #87172
[Bug 510732] Re: OpenSSH server sshd_config PermitRootLogin -> NO
It has been fixed upstream:
http://www.openssh.com/txt/release-6.9
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/510732
Title:
OpenSSH server sshd_config PermitRootLogin -> NO
Status in openssh package in Ubuntu:
Opinion
Bug description:
Ubuntu does not use the root account directly so the PermitRootLogin
directive in sshd_config should be set to "no" by default. This
policy is backed by the upstream documentation:
"For security reasons, it is bad practice to log in as root during regular
use and maintenance of the system. Instead, administrators are encour-
aged to add a ``regular'' user, add said user to the ``wheel'' group,
then use the su(1) and sudo(8) commands when root privileges are re-
quired. This process is described in more detail later."
From : http://www.openbsd.org/cgi-bin/man.cgi?query=afterboot
Bruteforce attacks against the root account are now continual and have been for several years:
http://arstechnica.com/security/news/2008/05/strong-passwords-no-panacea-as-ssh-brute-force-attacks-rise.ars
If there are shortcomings in the the documentation and guides for sudo
or how to use key-based autentication, then they should be addressed
there so that this default setting can be set properly.
Description: Ubuntu lucid (development branch)
Release: 10.04
openssh-server:
Installed: 1:5.2p1-2ubuntu1
Candidate: 1:5.2p1-2ubuntu1
Version table:
*** 1:5.2p1-2ubuntu1 0
500 http://fi.archive.ubuntu.com lucid/main Packages
100 /var/lib/dpkg/status
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/510732/+subscriptions
