F22 System Wide Change: Set sshd(8) PermitRootLogin=no
Przemek Klosowski
przemek.klosowski at nist.gov
Thu Jan 8 15:13:18 UTC 2015
On 01/08/2015 08:42 AM, Paul Wouters wrote:
> On Thu, 8 Jan 2015, Jaroslav Reznik wrote:
>> == Detailed Description ==
>> Sshd(8) daemon allows remote users to login as 'root' by default. This
>> provides remote attackers an option to brute force their way into a
>> system.
> If you want to fight that, you need to set PasswordAuthentication no and
> insist that people start using ssh keypairs instead.
>
> Singling out root is not affective against system compromises caused by
> brutce forcing passwords.
There's another aspect of this, namely accountability. In realistic
environments usually several people have admin privileges and
password-based root access is hard to manage---e.g. you need to change
root password everywhere when the sysadmin team changes.
> The defense against password attacks is to not permit password
> authentication.
>
> Disallowing root access will interfere with legitimate root logins, for
> example automated backup logins, or remote administration tools like
> puppet or ansible that require root access.
For the automation cases I like Chris Adams' suggestion:
PermitRootLogin without-password
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150108/ead7ba04/attachment.html>
More information about the devel
mailing list