F22 System Wide Change: Set sshd(8) PermitRootLogin=no
Paul Wouters
paul at nohats.ca
Thu Jan 8 15:37:20 UTC 2015
On Thu, 8 Jan 2015, Przemek Klosowski wrote:
> If you want to fight that, you need to set PasswordAuthentication no and
> insist that people start using ssh keypairs instead.
>
> Singling out root is not affective against system compromises caused by
> brutce forcing passwords.
>
> There's another aspect of this, namely accountability.
There are many aspects in the global discussio of ssh keys versus sudo
versus passwords. I was trying to stick to the feature request and its
justification. Using root with ssh keys has a perfectly fine audit trail
that shows whether you or I logged in as root using ssh. We don't need
the sudo audit trail for that.
> In realistic environments usually several people
> have admin privileges and password-based root access is hard to manage---e.g. you need to change root
> password everywhere when the sysadmin team changes.
I don't think anyone is arguing in favour of keeping root password based
logins as the default. It's just too dangerous.
> The defense against password attacks is to not permit password authentication.
>
> Disallowing root access will interfere with legitimate root logins, for
> example automated backup logins, or remote administration tools like
> puppet or ansible that require root access.
>
> For the automation cases I like Chris Adams' suggestion:
>
> PermitRootLogin without-password
I'm also fine with that. However, that does not address the ssh scripts
that are trying to login as various well-known or short usernames, most
of which will have sudo rights once broken. While this feature is named
"Set sshd(8) PermitRootLogin=no" what is really meant is "disable
password logins leading to root access due to dictionary attacks".
So if we truly want to address this feature, we should also disallow
non-root user password based ssh logins.
Paul
More information about the devel
mailing list