← Back to team overview

touch-packages team mailing list archive

[Bug 510732] Re: OpenSSH server sshd_config PermitRootLogin -> NO

 

It has been fixed upstream:

http://www.openssh.com/txt/release-6.9

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/510732

Title:
  OpenSSH server sshd_config PermitRootLogin -> NO

Status in openssh package in Ubuntu:
  Opinion

Bug description:
  Ubuntu does not use the root account directly so the PermitRootLogin
  directive in sshd_config should be set to "no" by default.  This
  policy is backed by the upstream documentation:

      "For security reasons, it is bad practice to log in as root during regular
       use and maintenance of the system.  Instead, administrators are encour-
       aged to add a ``regular'' user, add said user to the ``wheel'' group,
       then use the su(1) and sudo(8) commands when root privileges are re-
       quired.  This process is described in more detail later."
      From : http://www.openbsd.org/cgi-bin/man.cgi?query=afterboot

  Bruteforce attacks against the root account are now continual and have been for several years:
  http://arstechnica.com/security/news/2008/05/strong-passwords-no-panacea-as-ssh-brute-force-attacks-rise.ars

  If there are shortcomings in the the documentation and guides for sudo
  or how to use key-based autentication, then they should be addressed
  there so that this default setting can be set properly.

  
  Description:    Ubuntu lucid (development branch)
  Release:        10.04

  openssh-server:
    Installed: 1:5.2p1-2ubuntu1
    Candidate: 1:5.2p1-2ubuntu1
    Version table:
   *** 1:5.2p1-2ubuntu1 0
          500 http://fi.archive.ubuntu.com lucid/main Packages
          100 /var/lib/dpkg/status

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/510732/+subscriptions