From owner-freebsd-stable  Sun Oct  7 14:22:24 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from shell.webmaster.com (mail.webmaster.com [216.152.64.131])
	by hub.freebsd.org (Postfix) with ESMTP id C435E37B407
	for <freebsd-stable@FreeBSD.ORG>; Sun,  7 Oct 2001 14:22:21 -0700 (PDT)
Received: from whenever ([206.171.168.130]) by shell.webmaster.com
          (Post.Office MTA v3.5.3 release 223 ID# 0-12345L500S10000V35)
          with SMTP id com for <freebsd-stable@FreeBSD.ORG>;
          Sun, 7 Oct 2001 14:22:17 -0700
From: David Schwartz <davids@webmaster.com>
To: <freebsd-stable@FreeBSD.ORG>
X-Mailer: PocoMail 2.51 (988) - Registered Version
Date: Sun, 7 Oct 2001 14:22:16 -0700
In-Reply-To: <200110061024.MAA23902@lurza.secnetix.de>
Subject: Re: Why sshd:PermitRootLogin = no ?
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Message-ID: <20011007212217.AAA6070@shell.webmaster.com@whenever>
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG


On Sat, 6 Oct 2001 12:24:20 +0200 (CEST), Oliver Fromme wrote:

>There are installations where people don't want root logins to=
 be enabled,
>whether with password or not.  This includes many of the=
 machines I am
>responsible for -- If the default was changed, I'd have to edit=
 sshd_config
>and replace "without-password" with "no" everywhere.

=09Why? Having it set to "without-password" doesn't allow root=
 logins and 
neither does "no", so what difference does it make either way?=
 Both settings 
have the precise same effect unless other changes are made.

=09Anyone who could or would install a key for root could or would=
 change the 
default root login option. One can make an argument that someone=
 would be 
quite likely to change the default from "no" to "yes" (because=
 they might not 
even know about the "without-password" option). So having the=
 option set to 
"without-password" could actually be more secure in fairly=
 realistic 
circumstances.

=09DS



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message