© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
demo site
(Get the code!)
...and brute forcing has become a more acute problem in light of the recent OpenSSL vulnerability. Exploitation of weak SSH keys is made much easier if the attacker knows a valid username on the target system; by permitting root login, you are making an attacker's job much easier.
(Though <email address hidden> seems to argue in favour of permitting root login, he fails to make an argument - at least in README.Debian.gz - as to why it is a good idea. I hope the recent SSL key brute force proof-of-concepts serve to change his mind.)
In most cases the same can be achieved through the use of a non-root user account and sudo - so IMHO rkhunter is right to warn about this, irrespective of Debian/Ubuntu defaults.