Brad comments on my condemnation of root login being enabled in the default SSH config for Debian systems (noting again that SSH is disabled by default).

Debian’s SSH package explicitly asks if you want to run the ssh daemon, and by choosing to do so, you take a certain level of responsibility into your hands. Granted – Sandra acknowledged this and I acknowledged this.

I don’t agree that its the software’s fault more than the users – as a maintainer you make some assumptions, some of which will not match the users requirements, and its up to the end user to ensure that it meets their needs. The assumptions should always err on the side of security. It is trivial for a user to turn something on if they discover it is missing – it is effectively impossible for them to (knowingly) turn something off if they don’t realize it’s turned on. Microsoft is very often criticized for leaving unneeded services on by default and not being configured securely by default – Linux should receive the same criticism when it falls into the same trap.

These assumptions are very clearly documented in the README.Debian file that’s distributed with the package, and by the wording the maintainer has had some fairly lengthy conversations with people about it and feels quite strongly about it. He also quite clearly explains how to change this if you disagree with his choice, including paths to these supposed “arcane config files” and the exact line to change and how to do it. None of which is displayed in the installation. There are 8710 packages in the Debian distribution, hundreds of which would be installed to make a working system. It is unreasonable to expect a user to read every single README.Debian file that results from installing all those packages.

There are often reasons to do so – perhaps the machines are being used in a secure location, perhaps they’re tightly locked down via ssh keys and hosts, there are plenty of situations where people may wish to login as root. You can never say never about a configuration setting, there will always be someone to point out where it is entirely sensible to do so. None of these reasons justify making root logins enabled by default as in the most common situation for the software it is insecure and unnecessary. I did not suggest that the configuration setting would never be useful, merely that it should never default to on.

Because you’re being paid to fix the customer’s problem in the first place, and not necessarily in the second with open source software. A lot of open source software is done by someone with an itch to scratch – Debian certainly falls into this situation – and they may not take the time to consider each and every situation that the software may be used in. I would take this to suggest that open source software is necessarily inferior and should not be depended upon because it’s “done by someone with an itch to scratch”. That is definitely not my view of open source software, nor is it something I would like to have reflected upon the small amount of open source work I have had occasion to perform. The open source community has been struggling to dispel such myths for some time and is beginning to see some great successes as it gains mainstream acceptance. Lowering the standards because something is free completely defeats this effort and drastically reduces the value of open source software. What’s worse however is that it detracts from the talents, commitment and achievement of those who contribute to open source projects. I refuse to make excuses for the software I develop – if something is poor quality for whatever reason I’m the first to admit it. It is through acknowledging the problems that improvements are made and it is through holding your work to a higher standard than any other work that you achieve great things. Fewer excuses, higher quality software.