Skribent: Daniel Reurich Dato: Til: dng@lists.dyne.org Emne: Re: [DNG] minor packaging quibbles in devuan cli
On 23/03/16 12:02, Adam Borowski wrote: > On Wed, Mar 23, 2016 at 11:44:30AM +1300, Daniel Reurich wrote:
>> On 23/03/16 11:35, Adam Borowski wrote:
>>> I hope you know that, since jessie, password remote logins for
>>> root are disabled unless you enable them yourself.
>>>
>> I think this is problematic and should be prompted for during the
>> install - like I'm pretty sure it was during the install of
>> wheezy...
>>
>> Seen we're already rebuilding openssh I'll look into it if someone
>> will do me a favour and create an issue against that project in
>> git.devuan.org
>
> Uhm, why? That's a reasonable default.
Because it prevents being able to do a minimal install with only a root
user setup (which is how I normally setup servers) and being able to ssh
in post-install using a password in order to be able to install my ssh
pubkey. (From the standard installer it's impossible to pre-load an ssh
key during the install without pre-seeding).
> If someone wants that badly to enable remote passwords for root, they
> can edit /etc/ssh/sshd_config, same as for any dubious security
> practice. In the meantime, the rest of us either log as an user
> first or use keypairs.
>
> And as so many people use weak passwords, disabling this avenue of
> attack by default is important.
I disagree. It's really no less secure then having a user account with
a user that has a weak password being able to sudo to root.