F22 System Wide Change: Set sshd(8) PermitRootLogin=no
Paul Wouters
paul at nohats.ca
Mon Jan 12 23:07:46 UTC 2015
On Mon, 12 Jan 2015, Przemek Klosowski wrote:
> First of all, I agree with you that PermitRootLogin without-password is preferable.
Good :)
> The discussion I am interested in is whether direct password root login should remain enabled.
> With root logins, all you have on the client machine is the IP the connection originated from.
$ ssh root at localhost
Last failed login: Mon Jan 12 17:25:40 EST 2015 from 61.174.50.244 on ssh:notty
There were 3862 failed login attempts since the last successful login.
Last login: Sat Jan 10 11:36:43 2015 from thinkpad.nohats.ca
root at bofh:~# tail /var/log/audit/audit.log
type=CRYPTO_SESSION msg=audit(1421103620.649:1371831): pid=7380 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=aes128-ctr ksize=128 mac=hmac-md5-etm at openssh.com spid=7381 suid=74 rport=60353 laddr=127 exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1421103620.649:1371832): pid=7380 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=aes128-ctr ksize=128 mac=hmac-md5-etm at openssh.com spid=7381 suid=74 rport=60353 laddr=127 exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=? res=success'
type=USER_AUTH msg=audit(1421103620.721:1371833): pid=7380 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey_auth rport=60353 acct="root" exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=? res=success'
type=USER_AUTH msg=audit(1421103620.721:1371834): pid=7380 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=key algo=ssh-dss size=1024 fp=13:67:ff:08:9d:8d:4a:32:77:3e:0a:09:81:a6:bc:4a rport=60353 acct="root" exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=? res=success'
type=USER_ACCT msg=audit(1421103620.741:1371835): pid=7380 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/sbin/sshd" hostname=bofh.nohats.ca addr=::1 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1421103620.742:1371836): pid=7380 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=7381 suid=74 rport=60353 laddr=127.0.0.1 lport=22 exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=? res=success'
Note the: fp=13:67:ff:08:9d:8d:4a:32:77:3e:0a:09:81:a6:bc:4a
paul at bofh:~$ ssh-keygen -l -f .ssh/id_nohats
1024 13:67:ff:08:9d:8d:4a:32:77:3e:0a:09:81:a6:bc:4a paul at nohats.ca
(DSA)
Looks like me :)
> More importantly, there is one root for all users---if one user needs to be blocked (e.g. sysadmin quits), the only
> solution is to change the root password everywhere. Individual accounts can be controlled independently, especially in
> setups with centralized account management like Kerberos/IPA.
Yes, I am not advocating root passwords :)
> - allows more granularity in granting elevated privileges across a set of machines and admins
That is true, but honestly the number of ways to get out of a restricted
sudo command list are pretty extensive. If you give them one command as
root you almost always give them a way to get a root shell.
> Nothing in the current setup is preventing you from allowing non-root
> remote access. Blocking direct root access does not "allow more granularity".
> You already have all the granularity if you want to use it.
>
> But if the single-password root is enabled, why would anyone use those granular methods?
I said install ssh keys for root, not passwords.
Paul
More information about the devel
mailing list