Once upon a time, Matthew Woehlke <mw_triad(a)users.sourceforge.net> said:
Chris Adams wrote:
>- block root logins
This seems to be the default on some UNIX's (or, at least, it's true for
some of the machines I work with, though it's possible that IT set it
up). I'm indifferent; I might re-enable it (though, since I can su also,
I might not), but I don't mind making this default.
I always thought it was odd that some things (e.g. telnet) block root
logins but others (e.g. ssh) don't. I can telnet in and then su and the
password is just as much in the clear as it would have been with
straight root-login-telnet. Either all should allow or all should block
(I personally block), except for directly attached consoles (so root can
get in when all else is broken).
Maybe sshd could be configured as "PermitRootLogin without-password",
which would require someone to configure keys (but not reconfigure sshd)
before root ssh could be used.
>- block logins to accounts with no password
This is different from passphrase-less keys, right? If so I'd definitely
vote for this. It doesn't need to be exclusive with disabling root
login, though.
Yes. I'm pretty sure there is a difference between "account with no
password" and "account with empty-string password", and the sshd option
"PermitEmptyPasswords" (which defaults to no) works as you describe.
--
Chris Adams <cmadams(a)hiwaay.net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.