root password vulnerability

[rusty123]

It does not mention, but TinyCore comes with root user's password set to root.
Since one can simply sudo su as default user tc, it's really used or mentioned.
What happens however, that it can be overlooked at install time to change the root password (since there is nothing guiding the install process). This fact combined with the sshd_config default setting: #PermitRootLogin yes
can lead to disaster.

I suggest including change of root password in the install docs (I am not sure if it can be disabled with a "*" in /etc/shadow ??)

[gutmensch]

confirmed, default setting in sshd_config should be:

PermitRootLogin no

[Kingdomcome]

The packaged sshd_config is unchanged from upstream source.  But if there is enough popular demand, I can easily change that one setting.

[Kingdomcome]

[edit:  removed incorrect assumption]

Never the less, I will look at adjusting the extension.

Contrary to my memory and assumption, the default config does in fact allow root login.  I will submit an adjusted extension shortly.

[vitex]

[edit:  removed incorrect assumption]

Never the less, I will look at adjusting the extension.

Contrary to my memory and assumption, the default config does in fact allow root login.  I will submit an adjusted extension shortly.

Please consider changing PermitRootLogin to without-password to prohibit logins via passwords but not public keys.

[Kingdomcome]

I did not edit the default upstream config, I dont believe it is my place to.  What I did was change the extension so that the user must copy the example configs to the correct names and edit to suit their situation.  I also added a warning in the info file that the default sshd_config contains possible security concerns.