Adam Borowski <kilobyte@???> writes:
> On Wed, Mar 23, 2016 at 11:44:30AM +1300, Daniel Reurich wrote:
>> On 23/03/16 11:35, Adam Borowski wrote:
>> > I hope you know that, since jessie, password remote logins for root are
>> > disabled unless you enable them yourself.
>> >
>> I think this is problematic and should be prompted for during the
>> install - like I'm pretty sure it was during the install of wheezy...
>>
>> Seen we're already rebuilding openssh I'll look into it if someone will
>> do me a favour and create an issue against that project in git.devuan.org
>
> Uhm, why? That's a reasonable default.
> If someone wants that badly to enable remote passwords for root, they can
> edit /etc/ssh/sshd_config, same as for any dubious security practice. In
> the meantime, the rest of us either log as an user first or use
> keypairs.

That's not "a reasonable default", rather a pointless inconvenience
justified by clueless paranoia (at best) masking itself with the usual
"holier-than-thou". "Failed ssh authentications", while surely being a
nuisance, are not in themselves anyhow dangerous. Further, scripts
trying to "brute-force" usernames and passwords do exist and considering
that

> And as so many people use weak passwords, disabling this avenue of attack by
> default is important.

'usernames' are often easily guessable (and should be as they're not
supposed to double up as authentication secrets), finding a username is
a lot easier than a decent passwords.

If you (or anyone else) desires to worry about "password policies",
considering worrying about your own instead of baseless conjectures of
other people's and even more baseless "dramatic accusations" (Dubious
security practice !!1) based on nothing but said baseless conjectures.