Prev: passwordless ssh root logins stopped working after testing dist-upgrade
Next: passwordless ssh root logins stopped working after testing dist-upgrade
From: Jordan Metzmeier on 6 Apr 2010 16:30 On Tue, Apr 6, 2010 at 4:14 PM, Stephen Powell <zlinuxman(a)wowway.com> wrote: > On Tue, 6 Apr 2010 14:12:19 -0400 (EDT), Russell L. Carter wrote: >> >> I dist-upgraded yesterday and ssh root logins started requiring a >> password. > > OK, I'll bite. Not that this is any of my business, but why do you > allow *root* logins via *ssh* _without_ a password. Isn't that dangerous? > At my shop, our policy is that root is not allowed to login via ssh > at all. root can only login from the system console. To login as > root via ssh, one must login as a normal user first, then su to root. > But you not only allow root to login via ssh, you don't even require > a password! That sounds like a security hole big enough to drive a > tank through! Would you mind explaining why you do this? > > -- What the PermitRootLogin without-password actually does is restrict root login to key authentication only. This (imo), is more secure than the default configuration as public keys are much more difficult to bruteforce than passwords. Also, your typical botnet (based on my own experiences/logs) is usually attempting to brute-force passwords. Also, you can add a passphrase to your public key so that it requires both a key and password. This also works with without-password but will create issues when you have scripts that need to be able to authenticate non-interactively. The sshd_config manpage does not do a very good job of explaining this. Hope that clears up some confusion Stephen. -- Jordan Metzmeier -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/k2w50e5edd51004061323sd611d044oe3ea02d3dfb03dd9(a)mail.gmail.com |