F22 System Wide Change: Set sshd(8) PermitRootLogin=no

[Paul Wouters]

On Thu, 8 Jan 2015, Przemek Klosowski wrote:

>       If you want to fight that, you need to set PasswordAuthentication no and
>       insist that people start using ssh keypairs instead.
>
>       Singling out root is not affective against system compromises caused by
>       brutce forcing passwords.
> 
> There's another aspect of this, namely accountability.

There are many aspects in the global discussio of ssh keys versus sudo
versus passwords. I was trying to stick to the feature request and its
justification. Using root with ssh keys has a perfectly fine audit trail
that shows whether you or I logged in as root using ssh. We don't need
the sudo audit trail for that.

> In realistic environments usually several people
> have admin privileges and password-based root access is hard to manage---e.g. you need to change root
> password everywhere when the sysadmin team changes.

I don't think anyone is arguing in favour of keeping root password based
logins as the default. It's just too dangerous.

>       The defense against password attacks is to not permit password authentication.
>
>       Disallowing root access will interfere with legitimate root logins, for
>       example automated backup logins, or remote administration tools like
>       puppet or ansible that require root access.
> 
> For the automation cases I like Chris Adams' suggestion:
> 
> PermitRootLogin without-password

I'm also fine with that. However, that does not address the ssh scripts
that are trying to login as various well-known or short usernames, most
of which will have sudo rights once broken. While this feature is named
"Set sshd(8) PermitRootLogin=no" what is really meant is "disable
password logins leading to root access due to dictionary attacks".

So if we truly want to address this feature, we should also disallow
non-root user password based ssh logins.

Paul