The keyword here is *default*.

Say you installed OpenBSD on a soekris, it's nice having root enabled 
"temporarily".

That way you can login at a later time, create a lesser privledged 
account, edit the sudoers file.. and disable root logins in sshd_config.

I believe the developers decision is the best one in this case, it's one 
of the first thing I disable though.

[ message continues ]

Note that you can already create this account and edit sudoers while
still in the installer kernel. Simply `mnt/usr/sbin/chroot /mnt` and
you are in your new system where you can change basic things (such as
adding users and editing config files, do not expect to be able to do
more fancy stuff like firewalling (so you can edit pf.conf, you just
can not load it until after rebooting), you're still in the install
kernel which lacks several key features provided by the regular
kernel).

root logins are also quite useful when /home is on NFS and NFS is
broken somehow and you need to log in to fix stuff. Myself, I keep it
enabled, even if I don't have /home on NFS and already have my
less-privileged user for sudo access setup.

Cheers,

Paul 'WEiRD' de Weerd

+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
                 http://www.weirdnet.nl/                 

[ message continues ]

I usually leave it enabled, but with the 'without-password' setting so
that keys must be used.

-- 
Darrin Chandler            |  Phoenix BSD User Group  |  MetaBUG
dwchandler@stilyagin.com   |  http://phxbug.org/      |  http://metabug.org/
http://www.stilyagin.com/  |  Daemons in the Desert   |  Global BUG Federation

[ message continues ]

I do prefer to use the siteXX.tgz and the install.site script to do
this, since it is the recommended way to customize the install process:
http://www.openbsd.org/faq/faq4.html#site

I remember other thread on this list about this. At some point someone
asked "Why not ask the installing user to create an unprivileged account
during the install process?". The answer was simple and very coherent:
"Because we want the user to give root user a strong password. If we
prompt for another user creation, it will tend to pick a weak password."
I agreed with that and prefer having things like this. The portable ssh
version also come with PermitRootLogin defaulted to yes. I don't see
this as a security breach. Just pick a strong root password, create a
user, edit sudoers, disable root login and you are done.

My regards,

-- 
Giancarlo Razzolini
http://lock.razzolini.adm.br
Linux User 172199
Red Hat Certified Engineer no:804006389722501
Verify:https://www.redhat.com/certification/rhce/current/
Moleque Sem Conteudo Numero #002
OpenBSD Stable
Ubuntu 8.04 Hardy Herom
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85

[ message continues ]

You can setup weak root password during install ;-)
There is no test,so I can use root,password,admin and so on.

-----Original Message-----
From: owner-misc@openbsd.org [mailto:owner-misc@openbsd.org] On Behalf Of
Giancarlo Razzolini
Sent: Thursday, July 10, 2008 8:16 PM
To: Paul de Weerd
Cc: Brynet; misc@openbsd.org
Subject: Re: sshd_config(5) PermitRootLogin yes

I do prefer to use the siteXX.tgz and the install.site script to do
this, since it is the recommended way to customize the install process:
http://www.openbsd.org/faq/faq4.html#site

I remember other thread on this list about this. At some point someone
asked "Why not ask the installing user to create an unprivileged account
during the install process?". The answer was simple and very coherent:
"Because we want the user to give root user a strong password. If we
prompt for another user creation, it will tend to pick a weak password."
I agreed with that and prefer having things like this. The portable ssh
version also come with PermitRootLogin defaulted to yes. I don't see
this as a security breach. Just pick a strong root password, create a
user, edit sudoers, disable root login and you are done.

My regards,

--
Giancarlo Razzolini
http://lock.razzolini.adm.br
Linux User 172199
Red Hat Certified Engineer no:804006389722501
Verify:https://www.redhat.com/certification/rhce/current/
Moleque Sem Conteudo Numero #002
OpenBSD Stable
Ubuntu 8.04 Hardy Herom
4386 2A6F FFD4 4D5F 5842  6EA0 7ABE BBAB 9C0E 6B85

[ message continues ]

Who gives a fluck? OpenBSD gives you all the tools, even if they are
too sharp for dull blunts.

If you don't like the defaults you have at least two options:

1> use something else. Is that more secure? Good for you.
2> figure out how to get what you want using the tools provided. It is
possible to get your stated position.

Now let this timewaster thread die its deserved death.

Rod/
_____
Depressed? Me?

[ message continues ]

On Soekris, does the first boot console access not function properly until 
ttys(5) or boot.conf(5) are edited?  Do you need to run headless, but with 
stored network configuration from the installer?


[ message continues ]