git: SSHD - Change default security
Matthew Dillon
dillon at apollo.backplane.com
Sun Nov 15 12:38:20 PST 2009
I think this is our chance to get people to think more seriously
about security in a world where plain-text password access has been
under serious attack for the last 20 years now, and getting more
serious every day. Passwords for shell access (via ssh) are dead in
the modern world, It is just too dangerous in my view.
This doesn't affect workstation or console logins or su, only incoming
ssh connections. And this only affects new installs, not upgrades.
If a user installing a new system wants to use a password for incoming
ssh access they have to enable it for ssh in /etc/ssh/sshd_config...
that really is not any more complicated then users who wanted to enable
incoming root access via ssh and also had to (previously) edit
/etc/ssh/sshd_config. Now both cases are uniform. Sshd by default
allows you to use public keys but not passwords on new installs.
Simple.
Hmm. Do users still have to generate the host keys or does our
installer do that now?
I personally believe that installing a ssh key by pulling it over a
network, e.g. with 'fetch', is just as easy as installing a password.
The network has to be operational to access the machine remotely
anyway so... Not only that, but we already have remote configuration
tools (rconfig) which can be used to grant initial remote access by
installing appropriate keys.
OPIE would be a cool thing to have, I won't stop anyone who wants to
make that work.
-Matt
Matthew Dillon
<dillon at backplane.com>
More information about the Commits
mailing list