F22 System Wide Change: Set sshd(8) PermitRootLogin=no

Lubomir Rintel lkundrak at v3.sk
Fri Jan 16 14:39:42 UTC 2015


On Thu, 2015-01-08 at 13:42 +0100, Jaroslav Reznik wrote:
> = Proposed System Wide Change: Set sshd(8) PermitRootLogin=no =
> https://fedoraproject.org/wiki/Changes/SSHD_PermitRootLogin_no

The discussion got rather long, but I didn't see one particular aspect
discussed:

> Remote users would not be allowed to login using 'root' account with a
> password. They would have to login using an SSH key or first connect
> using a non-root account and then upgrade their privileges via sudo(8)
> or su -.

Doesn't this make the systems actually _less_ secure?

I sometimes do risky things with my regular account. I often process
untrusted input I download from internet, often using tools that have
serious security issues discovered (it doesn't have to be just flash or
firefox, remember the binutils [1] or less [2] issues?). I'm sure many
of us are similarly careless with their non-privileged accounts.

[1] http://openwall.com/lists/oss-security/2014/10/23/5
[2] http://seclists.org/fulldisclosure/2014/Nov/74

There's a chance of a successful exploitation that would result in
obtaining my privileges. Sure, gaining access to my account is bad
enough, but if I run "su" or "sudo", they have root!

I'm never sure if I'm talking to the actual tool. Something could have
tampered with my shell and now is snooping for my password. The attacker
could have ptrace()d my shell and switched execve("/bin/su") for
execve("/tmp/uz_nejsu"). Or they could just have changed the $PATH in
my .profile. I wouldn't notice!

For this reason, I avoid privilege escalation when I need to conduct
privileged operations, but open a separate session. The sshd daemon
running with root privileges is more trustworthy to me than my user
session.

-1 for this change from me.

Disallowing root logins and requiring me to use my regular account puts
other users of the system in risk.

Thank you,
Lubo



More information about the devel mailing list