[BlueOnyx:17156] Re: Two small 5208R bugs - fixed

[Dogsbody]

On 27/02/15 04:05, Michael Stauber wrote:
> You do have shell users that login via SSH? Most people prefer to not
> grant anyone shell access. For security reasons as we don't chroot shell
> users.

We have four 5108R & 5208R boxes, each one has a different security risk 
assessment.  In this case, the people logging in via SSH are employees 
of the company so we feel we can trust them :-)

> <sigh> And there goes the appliance approach right out of the window.
> You DO know that the way it is NOW is the way that it has been for
> years. And this never was an issue. The only problem is/was that the
> recent updates made the settings flip back to default on CCEd restarts.

Absolutely, and this is exactly the issue I'm afraid.  This is also the 
exact problem with the appliance approach, just as you say, it has to 
try and be everything for everyone :-/

> Or you could simply set "PermitRootLogin" to "No", SSH in as "admin" and
> "su -" to gain root access. That's how it has always been and that is
> what the default after a fresh install is.

Unfortunately rsync can't do this :-/

> So let's do this. In the near future (next couple of days, maybe a week
> or two) I'll add "without-password" and "forced-commands-only" as
> allowed options to PermitRootLogin. Even if I think that it's unwise, as
> it might encourage people to enable shell for non-root users.

That would be perfect.  Thank you very very much.

Regards, Dan