Ubuntu
openssh package

[openssh] Root login enabled by default (security issue)

Bug #56143 reported by Wesley Schwengle on 2006-08-12

Affects		Status	Importance	Assigned to	Milestone
	openssh (Ubuntu)	Invalid	Undecided	Unassigned

Bug Description

Binary package hint: openssh-server

A default installation of the openssh-server package has (IMHO) a security issue. The default sshd_config has root login enabled. I find this very insecure. It looks like the package assumes people did not change the default root setup for Ubuntu. As soon as one changes this, and did not look at the default sshd config, one has a potential security issue. root accounts should not be allowed to login to any server. Allowing this as a default is bad practice.

Please change the following line:

PermitRootLogin yes

to:

PermitRootLogin no

Revision history for this message

Matt Zimmerman (mdz) wrote on 2006-08-12:

No, this is unrelated to Ubuntu's authentication model. This is in fact the default setting provided by the upstream OpenSSH developers. /usr/share/doc/openssh-server/README.Debian.gz explains.

Changed in openssh:
status:	Unconfirmed → Confirmed

Revision history for this message

Dennis Kaarsemaker (dennis) wrote on 2006-08-14:

This bug has been filed quite a few times already in both Debian and Ubuntu -- it has been rejected as many times too.

Changed in openssh:
status:	Confirmed → Rejected

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuopenssh package

[openssh] Root login enabled by default (security issue)

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
openssh package