Subject: Re: sshd won't allow access by root
To: William Allen Simpson <wsimpson@greendragon.com>
From: Roland Dowdeswell <elric@imrryr.org>
List: tech-install
Date: 09/28/2002 11:13:03
On 1033222130 seconds since the Beginning of the UNIX epoch
William Allen Simpson wrote:
>
>Anyway, this is a significant change from longstanding OpenSSH practice,
>and COMPLETELY UNDOCUMENTED.
Yes, it appears that the documentation does not match the src.
I've just submitted a PR to resolve this issue. And checked in a
fix to the man page into current. I'll request that the documentation
change be pulled up to the release branches. This will at least
take care of the documentation issues.
Whether this is the correct setting is another discussion of course.
The rational behind the decision is to make the behaviour of sshd
consistent with the rest of the system which does not allow root
to log in w/ a passwd from anything but the console.
I would certainly go as far as to suggest that for actual consistency,
we should make the setting ``without-password'' rather than ``no'',
because via krb5 for example, you can log in as root over telnetd
on an insecure tty. Granted though, that in that case I'd be coming
in as elric/root@IMRRYR.ORG and so there's more of an audit trail.
We should probably change the comments in the default sshd_config
to match the change in defaults as well.
--
Roland Dowdeswell http://www.Imrryr.ORG/~elric/