About sshd(8) PermitRootLogin=no

Brandon Vincent Brandon.Vincent at asu.edu
Tue Nov 25 15:05:59 UTC 2014

I have two divergent opinions on this issue.

Personally, I agree with Theo de Randt on the reasoning behind the
default PermitRootLogin setting in OpenSSH. If your root password is
of adequate strength (in the event that you're not mandating the use
of keys), then realistically the risk of exposing root logins over SSH
is minimal (excluding any unforeseen exploits in OpenSSH). I trust the
mathematics of cryptography.

On the other hand, I can't vouch for the security of other user's
systems. I have a suspicion that the majority of brute force attacks
that succeed occur on systems where the user is unaware that sshd is
running and/or the system was never meant to be reachable from the

Sucuri found that 58% of brute force attacks were conducted against
the root account [1]. A full list of the passwords tried by attackers
can be found here [2]. The strength of passwords that are tried are
obviously extremely weak.

Since setting PermitRootLogin to no will minimize the footprint of
this attack, I'd be more than happy to see it implemented. Anyone who
wants to sets PermitRootLogin to yes, is likely well aware of the
importance of strong passwords and the visibility of their system over
the internet.

Brandon Vincent

[1] http://blog.sucuri.net/2013/07/ssh-brute-force-the-10-year-old-attack-that-still-persists.html
[2] http://labs.sucuri.net/dump/sshd_bruteforce_list.txt?_ga=1.53033320.1159093202.1416926351

More information about the security mailing list