F22 System Wide Change: Set sshd(8) PermitRootLogin=no
Maros Zatko
mzatko at redhat.com
Fri Jan 16 15:22:03 UTC 2015
On 01/16/2015 03:39 PM, Lubomir Rintel wrote:
> On Thu, 2015-01-08 at 13:42 +0100, Jaroslav Reznik wrote:
>> = Proposed System Wide Change: Set sshd(8) PermitRootLogin=no =
>> https://fedoraproject.org/wiki/Changes/SSHD_PermitRootLogin_no
> The discussion got rather long, but I didn't see one particular aspect
> discussed:
>
>> Remote users would not be allowed to login using 'root' account with a
>> password. They would have to login using an SSH key or first connect
>> using a non-root account and then upgrade their privileges via sudo(8)
>> or su -.
> Doesn't this make the systems actually _less_ secure?
>
> I sometimes do risky things with my regular account. I often process
> untrusted input I download from internet, often using tools that have
> serious security issues discovered (it doesn't have to be just flash or
> firefox, remember the binutils [1] or less [2] issues?). I'm sure many
> of us are similarly careless with their non-privileged accounts.
>
> [1] http://openwall.com/lists/oss-security/2014/10/23/5
> [2] http://seclists.org/fulldisclosure/2014/Nov/74
>
> There's a chance of a successful exploitation that would result in
> obtaining my privileges. Sure, gaining access to my account is bad
> enough, but if I run "su" or "sudo", they have root!
>
> I'm never sure if I'm talking to the actual tool. Something could have
> tampered with my shell and now is snooping for my password. The attacker
> could have ptrace()d my shell and switched execve("/bin/su") for
> execve("/tmp/uz_nejsu"). Or they could just have changed the $PATH in
> my .profile. I wouldn't notice!
>
> For this reason, I avoid privilege escalation when I need to conduct
> privileged operations, but open a separate session. The sshd daemon
> running with root privileges is more trustworthy to me than my user
> session.
>
> -1 for this change from me.
-1 from me, too :)
>
> Disallowing root logins and requiring me to use my regular account puts
> other users of the system in risk.
>
> Thank you,
> Lubo
>
More information about the devel
mailing list