passwordless ssh root logins stopped working after testing dist-upgrade
in [Debian]
|
Prev: passwordless ssh root logins stopped working after testing dist-upgrade
Next: Display Problems with several Web Browsers
From: Stephen Powell on 6 Apr 2010 17:10 On Tue, 6 Apr 2010 16:23:35 -0400 (EDT), Jordan Metzmeier wrote: > On Tue, Apr 6, 2010 at 4:14 PM, Stephen Powell wrote: >> On Tue, 6 Apr 2010 14:12:19 -0400 (EDT), Russell L. Carter wrote: >>> >>> I dist-upgraded yesterday and ssh root logins started requiring a >>> password. >> >> OK, I'll bite. Â Not that this is any of my business, but why do you >> allow *root* logins via *ssh* _without_ a password. Â Isn't that dangerous? >> At my shop, our policy is that root is not allowed to login via ssh >> at all. Â root can only login from the system console. Â To login as >> root via ssh, one must login as a normal user first, then su to root. >> But you not only allow root to login via ssh, you don't even require >> a password! Â That sounds like a security hole big enough to drive a >> tank through! Â Would you mind explaining why you do this? > > What the PermitRootLogin without-password actually does is restrict > root login to key authentication only. This (imo), is more secure than > the default configuration as public keys are much more difficult to > bruteforce than passwords. Also, your typical botnet (based on my own > experiences/logs) is usually attempting to brute-force passwords. > > Also, you can add a passphrase to your public key so that it requires > both a key and password. This also works with without-password but > will create issues when you have scripts that need to be able to > authenticate non-interactively. > > The sshd_config manpage does not do a very good job of explaining > this. Hope that clears up some confusion Stephen. So the idea is that both the server *and* the client authenticate to each other via SSL? (I.e. both server and client have a public key / private key pair?) And only someone in possession of the client's private key would be able to authenticate to the server? Is that basically what you're saying? -- .''`. Stephen Powell <zlinuxman(a)wowway.com> : :' : `. `'` `- -- To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org Archive: http://lists.debian.org/1848932970.1488811270587743225.JavaMail.root(a)md01.wow.synacor.com |