F22 System Wide Change: Set sshd(8) PermitRootLogin=no

Paul Wouters paul at nohats.ca
Mon Jan 12 23:07:46 UTC 2015 

On Mon, 12 Jan 2015, Przemek Klosowski wrote:

> First of all, I agree with you that PermitRootLogin without-password  is preferable.

Good :)

> The discussion I am interested in is whether direct password root login should remain enabled.

> With root logins, all you have on the client machine is the IP the connection originated from.

$ ssh root at localhost
Last failed login: Mon Jan 12 17:25:40 EST 2015 from 61.174.50.244 on ssh:notty
There were 3862 failed login attempts since the last successful login.
Last login: Sat Jan 10 11:36:43 2015 from thinkpad.nohats.ca
root at bofh:~# tail /var/log/audit/audit.log

type=CRYPTO_SESSION msg=audit(1421103620.649:1371831): pid=7380 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=aes128-ctr ksize=128 mac=hmac-md5-etm at openssh.com spid=7381 suid=74 rport=60353 laddr=127 exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1421103620.649:1371832): pid=7380 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=aes128-ctr ksize=128 mac=hmac-md5-etm at openssh.com spid=7381 suid=74 rport=60353 laddr=127 exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=? res=success'
type=USER_AUTH msg=audit(1421103620.721:1371833): pid=7380 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey_auth rport=60353 acct="root" exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=? res=success'
type=USER_AUTH msg=audit(1421103620.721:1371834): pid=7380 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=key algo=ssh-dss size=1024 fp=13:67:ff:08:9d:8d:4a:32:77:3e:0a:09:81:a6:bc:4a rport=60353 acct="root" exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=?  res=success'
type=USER_ACCT msg=audit(1421103620.741:1371835): pid=7380 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/sbin/sshd" hostname=bofh.nohats.ca addr=::1 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1421103620.742:1371836): pid=7380 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=7381 suid=74 rport=60353 laddr=127.0.0.1 lport=22  exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=? res=success'

Note the: fp=13:67:ff:08:9d:8d:4a:32:77:3e:0a:09:81:a6:bc:4a

paul at bofh:~$ ssh-keygen -l -f .ssh/id_nohats
1024 13:67:ff:08:9d:8d:4a:32:77:3e:0a:09:81:a6:bc:4a  paul at nohats.ca
(DSA)

Looks like me :)

> More importantly, there is one root for all users---if one user needs to be blocked (e.g. sysadmin quits), the only
> solution is to change the root password everywhere. Individual accounts can be controlled independently, especially in
> setups with centralized account management like Kerberos/IPA.

Yes, I am not advocating root passwords :)

>             - allows more granularity in granting elevated privileges across a set of machines and admins

That is true, but honestly the number of ways to get out of a restricted
sudo command list are pretty extensive. If you give them one command as
root you almost always give them a way to get a root shell.

>       Nothing in the current setup is preventing you from allowing non-root
>       remote access. Blocking direct root access does not "allow more granularity".
>       You already have all the granularity if you want to use it.
> 
> But if the single-password root is enabled, why would anyone use those granular methods?

I said install ssh keys for root, not passwords.

Paul

More information about the devel mailing list