F22 System Wide Change: Set sshd(8) PermitRootLogin=no

Paul Wouters paul at nohats.ca
Thu Jan 8 13:42:45 UTC 2015


On Thu, 8 Jan 2015, Jaroslav Reznik wrote:

> = Proposed System Wide Change: Set sshd(8) PermitRootLogin=no =
> https://fedoraproject.org/wiki/Changes/SSHD_PermitRootLogin_no
>
> Change owner(s): P J P <pjp at fedoraproject.org> and Fedora Security Team
>
> To disable remote root login facility in sshd(8) by default.

I still disagree with this feature.

> == Detailed Description ==
> Sshd(8) daemon allows remote users to login as 'root' by default. This
> provides remote attackers an option to brute force their way into a system.

If you want to fight that, you need to set PasswordAuthentication no and
insist that people start using ssh keypairs instead.

Singling out root is not affective against system compromises caused by
brutce forcing passwords. While it might take a little longer for an
attacker to guess username+password (how many of you have a
username of more than 6 characters) once the non-root user password is
brute-forced they will most likely gain root via either passwordless
sudo or by creating some ~/bin/su wrapper that steals the password when
the real user logs on.

The defense against password attacks is to not permit password authentication.

Disallowing root access will interfere with legitimate root logins, for
example automated backup logins, or remote administration tools like
puppet or ansible that require root access.

Paul


More information about the devel mailing list