From 18a9bd1867ee6fb9d913515773b322a279759b5d Mon Sep 17 00:00:00 2001 From: Colin Watson Date: Sun, 29 Nov 2015 17:34:13 +0000 Subject: Change "PermitRootLogin without-password" to the new preferred spelling of "PermitRootLogin prohibit-password" in sshd_config, and update documentation to reflect the new upstream default. --- debian/README.Debian | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'debian/README.Debian') diff --git a/debian/README.Debian b/debian/README.Debian index dee9ddb21..9d029585c 100644 --- a/debian/README.Debian +++ b/debian/README.Debian @@ -19,7 +19,8 @@ PermitRootLogin --------------- As of 1:6.6p1-1, new installations will be set to "PermitRootLogin -without-password". This disables password authentication for root, foiling +without-password" (or the synonymous "PermitRootLogin prohibit-password" as +of 1:7.0p1-1). This disables password authentication for root, foiling password dictionary attacks on the root user. Some sites may wish to use the stronger "PermitRootLogin forced-commands-only" or "PermitRootLogin no", but note that "PermitRootLogin no" will break setups that SSH to root with a @@ -34,7 +35,7 @@ ssh restart" as root. Disabling PermitRootLogin means that an attacker possessing credentials for the root account (any credentials in the case of "yes", or private key -material in the case of "without-password") must compromise a normal user +material in the case of "prohibit-password") must compromise a normal user account rather than being able to SSH directly to root. Be careful to avoid a false illusion of security if you change this setting; any account you escalate to root from should be considered equivalent to root for the @@ -44,7 +45,9 @@ it if you know you will only ever log in as root from the physical console. Since the root account does not generally have non-password credentials unless you explicitly install an SSH public key in its ~/.ssh/authorized_keys, which you presumably only do if you want to SSH to -it, "without-password" should be a reasonable default for most sites. +it, "prohibit-password" should be a reasonable default for most sites. + +As of OpenSSH 7.0, this is the upstream default. For further discussion, see: -- cgit v1.2.3