[Bug 510732] [NEW] OpenSSH server sshd_config PermitRootLogin -> NO
Lars Noodén
larsnooden at openoffice.org
Thu Jan 21 16:21:25 GMT 2010
Public bug reported:
Ubuntu does not use the root account directly so the PermitRootLogin
directive in sshd_config should be set to "no" by default. This policy
is backed by the upstream documentation:
"For security reasons, it is bad practice to log in as root during regular
use and maintenance of the system. Instead, administrators are encour-
aged to add a ``regular'' user, add said user to the ``wheel'' group,
then use the su(1) and sudo(8) commands when root privileges are re-
quired. This process is described in more detail later."
From : http://www.openbsd.org/cgi-bin/man.cgi?query=afterboot
Bruteforce attacks against the root account are now continual and have been for several years:
http://arstechnica.com/security/news/2008/05/strong-passwords-no-panacea-as-ssh-brute-force-attacks-rise.ars
If there are shortcomings in the the documentation and guides for sudo
or how to use key-based autentication, then they should be addressed
there so that this default setting can be set properly.
Description: Ubuntu lucid (development branch)
Release: 10.04
openssh-server:
Installed: 1:5.2p1-2ubuntu1
Candidate: 1:5.2p1-2ubuntu1
Version table:
*** 1:5.2p1-2ubuntu1 0
500 http://fi.archive.ubuntu.com lucid/main Packages
100 /var/lib/dpkg/status
** Affects: openssh (Ubuntu)
Importance: Undecided
Status: New
** Tags: configuration permitrootlogin
--
OpenSSH server sshd_config PermitRootLogin -> NO
https://bugs.launchpad.net/bugs/510732
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openssh in ubuntu.
More information about the Ubuntu-server-bugs
mailing list