taylorkh wrote: ↑2018/11/27 18:06:03
When I looked in /etc/ssh/sshd_config on the remote machine I found this line commented out
That would make me think that the root access is NOT allowed by default and that I would have to consciously enable it. However, that does not seem to be the case. If I change the referenced line to "PermitRootLogin no" and restart ssh I find that root cannot connect - as expected.
There's this at the top of sshd_config:
Code: Select all
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
So the PermitRootLogin is enabled by default.
Some of the security profiles that you can select in the installer can change the PermitRootLogin setting at install time, though.
You are right that password auth for root user should indeed be disabled by anyone who cares about their system at all.
Also, for reference, here's a quote from
man sshd_config:
PermitRootLogin
Specifies whether root can log in using ssh(1). The argument must be yes, prohibit-password, without-password, forced-commands-only, or no. The default is yes.
If this option is set to prohibit-password or without-password, password and keyboard-interactive authentication are disabled for root.
If this option is set to forced-commands-only, root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root.
If this option is set to no, root is not allowed to log in.