On Jul 28, 2015, at 8:37 PM, Gordon Messmer <gordon.messmer at gmail.com> wrote: > > On 07/28/2015 04:29 PM, Warren Young wrote: >> They turned off "PermitRootLogin yes" and "Protocol 1" in EL6 or EL7, the previous low-hanging fruit. Do you think those were bad decisions, too? > > As far as I know, PermitRootLogin has not been set to "no" by default. My mistake. I grepped sshd_config on a fresh EL7 machine here and saw #PermitRootLogin yes and assumed it meant “no”. It’s just documenting the default. I explicitly set it to “no” on systems I am solely in control of, and I’d prefer that upstream changed that default in the precursor(s) to CentOS 8, too. EL7 ships ready to use sudo out-of-the-box, if you tick the “administrative user” checkbox on the non-root user during install. That removes the last good reason to allow remote root logins by default.