Re: [bitfolk] The perils of opening tcp/22 to the Internet

Thanks Andy; this served as a reminder to double check / tweak some of my configuration. Andy Smith wrote: As you say, probably not acceptable to some folks, but perhaps you can at least default to asking only for an ssh key, and let people request a password explicitly or set a password themselves if they can't cope with keys? Certainly seems sensible; I thought most OSes denied it by default by I guess I'm wrong. At the very least: PermitRootLogin without-password should be acceptable (and perhaps better, as people might otherwise just change the 'no' to 'yes') No strong feeling on that one. I'd be quite happy with this. It's something you'd probably want to point out in the welcome email as well. (Is either of these better than the other, and do they generally need any tweaking from the default debian configuration?) One possible downside to that is that a number of ISPs are doing traffic prioritisation these days, and the default or normal settings for these systems seem to put uncommon ports into low or lowest priorities. That results in slow ssh connections if you're not careful in your port choice. (I think, for example, plus.net will put traffic to port 2222 at a low priority, but ssh traffic on the default jabber port seems fine.) Joseph