F22 System Wide Change: Set sshd(8) PermitRootLogin=no

Milan Keršláger milan.kerslager at pslib.cz
Mon Jan 12 16:27:34 UTC 2015 

Dne 12.1.2015 v 15:46 Przemek Klosowski napsal(a):
> There still needs to be an administrative access to the system, and the
> most common implementation by enabling 'sudo' on the non-privileged
> account. So, in a sense you are both right: this feature is just a small
> step rather than a security panaceum, but it does bring real
> improvements in several areas:
> 
> - increases difficulty of the attack by banning stupid automated BF
> attacks on root
> - improves accountability for administrative actions (we know which
> admin messed up :)
> - allows more granularity in granting elevated privileges across a set
> of machines and admins

No. It improves nothing. This is step backward.

It gaves bad signal to the user ("strong root password is not needed").

It does not mitigate the BF attack. The original and main reason was to
mitigate BF even "P J P <pjp at fedoraproject.org>" told us here that not.
See his writings here:
https://lists.fedoraproject.org/pipermail/devel/2014-November/204530.html,
https://fedoraproject.org/wiki/Changes/SSHD_PermitRootLogin_no

This is simply very bad security misconception.

The PJP told us that this is like SELinux or firewal. But firewall block
all trafic. But SELinux does not allow to obey the rules it raises. And
"PermitRootLogin=no" still allows BF and still allows easily to login as
another user and do su/sudo even maybe (!!!) not so easily (which is
hard to prove as I demonstrated before because it will lead to use much
less quality passords for root and normal users too).

All this rumor is trying to tell us that it improves security, but does
not. It provides false feeling of improved security and this is very
dangerous (ie. like does Security through Obscurity). If you really want
to improve security and mitigate BF attacks against root, do this:

A) do not run SSHD by default
B) install a script by default to bann repeated login failures
   (there are many around here, just test them and ship one).

These are real steps forward as it will really mitigate BF for all
accounts in the system.

-- 
                            Milan Keršláger
                            http://www.pslib.cz/ke/
                            http://www.nti.tul.cz/wiki/Milan.Kerslager

More information about the devel mailing list