The best answer to this, in my opinion, is that the people who know enough to want the ssh service to be running also want to use it for login to the root account. So might as well have the system default to what users want.
Here are the changes that I made to sshd_config
--- sshd_config 2011/10/29 17:40:33 1.1
+++ sshd_config 2011/11/22 16:00:40
@@ -37,7 +37,7 @@
# Authentication:
#LoginGraceTime 2m
-#PermitRootLogin yes
+PermitRootLogin without-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
@@ -62,6 +62,7 @@
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
+ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
I still allow root login, but I only allow it with public key authentication. That’s enough to deal with the ssh hackers.
> Sorry that was actually very cryptic. So:
> Quote from the article (link as of above) SDB as follows:
>
>> PermitRootLogin can be set to yes or no. The default is yes. It is
>> wise to change it to no, since every *NIX system has the user root
>> and this user is almighty, so it is the ideal user to use to break into
>> a system. You can still gain Root privileges by typing su or sudo after
>> logging in as a normal user. You might even want to ‘Restrict the usage
>> of su’ (http://tinyurl.com/856xexf).
> Where the link going to “restric the usage” is not followed by a page
> yet.
You could ask the writers of the wiki what were their intentions when they
wrote that. Maybe the missing page is still in the old wiki and was not
updated to the new wiki.
> So I asked myself how you would do this.
> Sorry for having been “cryptic”. Thank you for your reply.
Well… For example, having a look at the file “/etc/permissions.secure”
you can find the entry for “su”:
/bin/su root:root 4755
so that might be a way. Another is in the “/etc/permissions.paranoid” file:
/bin/su root:root 0755
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
On 2011-12-05 22:36, stakanov wrote:
> Yes I understand. If you read the quote of the SDB of openSUSE one is
> to induced to belief that this is “best practice”. So for me it is
> paradox that we advice in a document “it is wise to change to no” but
> that we leave the default … to yes? This is the point of
> “surprise”.
That documentation is a wiki, and its authors do not have per force to be
the same people packaging ssh, nor to agree on what are the best defaults.
–
Cheers / Saludos,
Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)
PAM just defaults to /etc/passwd if that’s the only method, otherwise it may include other methods such as LDAP or NIS.
PubkeyAuthentication is a different kettle of fish. There you trust the user to protect the private part of the pubkey with a strong passphrase. He could just as easily make it passwordless, with all the attendant risks, but this has uses for accounts that use automated scripts.