Jim Perrin wrote: > On Jan 29, 2008 5:52 AM, mouss <mouss at netoyen.net> wrote: >> Jim Perrin wrote: >>> Along the lines of staying safe, now is probably a good time to check >>> your password policies. >>> >>> 1. Don't allow root access to ssh. (modify /etc/ssh/sshd_config) >>> >> why isn't this the default? >> > > Taking an educated guess on this one, I'd say to allow configuration > after a remote install. > >>> 2. restrict root logins to only the local machine. (modify /etc/securetty) >>> 3. Limit users with access to 'su' to the wheel group (use visudo and >>> also modify /etc/pam.d/su) >>> >> same question here. > > For this one I'd guess that it's because by default folks don't get > added to wheel. So if an admin forgets to add his own user account, he > can no longer gain root with 'su'. He has to walk his happy ass to > the console to log in. Everything about the *nix culture points to not > walking anywhere except possibly to a pub :-P Well ... not to say anything bad about beer, BUT The real reason is that RHEL does not ship that way, so CentOS does not either. The bottom line for this and all other questions like it is this: We clone the configuration of the upstream system on purpose so that CentOS performs as much as possible like the upstream product ... if/when they change the defaults, so will we. Thanks, Johnny Hughes -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 252 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20080129/323a8b3f/attachment-0005.sig>