F22 System Wide Change: Set sshd(8) PermitRootLogin=no

[Paul Wouters]

On Mon, 12 Jan 2015, Przemek Klosowski wrote:

> There still needs to be an administrative access to the system, and the most common implementation by enabling 'sudo'
> on the non-privileged account. So, in a sense you are both right: this feature is just a small step rather than a
> security panaceum, but it does bring real improvements in several areas:

Disagree :P

> - increases difficulty of the attack by banning stupid automated BF attacks on root

do you use PrzemekKlosowski as your username on your fedora? I doubt it.
It is more likely to be przemek, klosowski or pklosowski. In fact, often
this is revealed in mail headers (eg "sendmail invoked by user paul").
More often, people will have 2 to 4 character usernames.

So this information is far from secret, and easilly guessable. Compared
to the dictionary this does in fact not make the problem any harder at
all. However, you have made legitimate automated root logins much harder
now, like me calling rsync as root for backups, which are not easilly
done wrapped in sudo :P

> - improves accountability for administrative actions (we know which admin messed up :)

Nonsense. for non-malicious logins, sudo leaves as much as a trail as
sshd which tells you which credentials were used to login. For malicious
logins, once root access is obtained via password-less sudo, the
evidence is removed from the logs. sudo offering a better audit trail is
a misconception that's been around for years.

> - allows more granularity in granting elevated privileges across a set of machines and admins

Nothing in the current setup is preventing you from allowing non-root
remote access. Blocking direct root access does not "allow more granularity".
You already have all the granularity if you want to use it.

Paul