Abotu setting 'PermitRootLogin=no' in sshd_config

P J P pj.pandit at yahoo.co.in
Mon Jan 12 12:09:01 UTC 2015


   Hello,

> On Monday, 12 January 2015 4:09 PM, Ian Malone <ibmalone at gmail.com> wrote:
> > On 12 January 2015 at 09:20, Milan Keršláger <milan.kerslager at pslib.cz> 
>> 4) Blocking root access means forcing admins to log as normal user and
>> then do su/sudo and providing root password, which is far less secure
>> than disable root password authentication and allow login to root with
>> SSH key only, because password could be easily stolen (private key is
>> never send to the net so is more safe).
> 
> It is only more secure if you assume normal user password ssh is
> allowed. It shouldn't be either, it should be ssh key. If you're
> allowing password login on any account then you're less secure, even
> without discussing sudo.

  I understand. As said in the other thread, how we restrict remote root access is negotiable. Though IMHO, we are not yet ready for purely keys based authentication and disable password authentication altogether. In fact, disabling remote 'root' access could be the first step in that direction. Ie. if we start using keys for remote 'root' access.

>> 6) Because all I wrote above, disabling root login is "Security 
>> through obscurity" and THIS NOT IMPROVE SECURITY! See
>> https://cs.wikipedia.org/wiki/Security_through_obscurity and 5) above
> 
> It's not really. Security through obscurity is design or
> implementation (as outlined in the English version of that wikipedia
> page). What this is is somewhere between security in layers and
> security in extended keys. User account names can be discovered and
> don't add many bytes compared to a secret key, on the other hand it
> should be easy to spot brute force attempts on user name. And not
> every user account on a system has sudo access, of course you can try
> local exploits once you have a shell, but that is still better than
> hanging direct root out as a big target to attack. Layers.

  Yes, nice term, security through layers.


---

Regards
   -Prasad
http://feedmug.com


More information about the devel mailing list