Abotu setting 'PermitRootLogin=no' in sshd_config
Reindl Harald
h.reindl at thelounge.net
Fri Nov 21 11:05:24 UTC 2014
Am 21.11.2014 um 11:55 schrieb Roberto Ragusa:
> On 11/21/2014 09:42 AM, Reindl Harald wrote:
>
>> why? because they are servers for specific tasks and *any* non-root login would be followed by "su - root" anyways and for automated rsync scripts backing up data only root has access you need it also
>
> For rsync-as-root use cases my usual approach is to create another
> account with userid=0 and login with ssh on this account.
> It is not root, but it has the same powers (because the numeric uid is the only
> thing it really matters).
>
> Just wanted to share the trick
thanks, but that would alert in lynis checks
"PermitRootLogin without-password" after setup key-authentication should
be the first action anyways - however i am neutral to any default here
since on physical machines no problem and most remote machines are setup
as virtual machine and so "local access"
the only important thing is to *really* make sure that there was a
different account created - otherwise it could lead to a locked out
installation in case of network setup after the first boot
______________________________________________________________
Lynis:
[+] Users, Groups and Authentication
------------------------------------
- Search administrator accounts [ OK ]
- Checking for non-unique UIDs [ OK ]
- Checking consistency of group files (grpck) [ OK ]
- Checking non unique group ID's [ OK ]
- Checking non unique group names [ OK ]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20141121/570d1644/attachment.sig>
More information about the devel
mailing list