root access by ssh - enabled by default or not?

Support for security such as Firewalls and securing linux
Post Reply
taylorkh
Posts: 534
Joined: 2010/11/24 15:08:33
Location: North Carolina, USA

root access by ssh - enabled by default or not?

Post by taylorkh » 2018/11/27 18:06:03

I have always been taught that direct root access over ssh is a bad thing. Better to have the user authenticate on the remote system with their own usename and then su or sudo to perform administrative functions. Today I came across a mini tutorial on-line about how to setup keys to allow connection over ssh without being prompted for a password. I have done basically the same thing using MY account to setup keys using Seahorse and the gnome keyring. The example in the tutorial, however, showed how to setup a key pair to allow the user to connect to the root account on the remote server directly without being prompted for the remote server root password. Yes, they did need the root password for the initial setup.

I tested this against a CentOS 7 virtual machine and was able to connect directly to the root account. I then restored a snapshot of the VM before creating the keypair and tried connecting to the VM over ssh

Code: Select all

[ken@vmCentOS7Mate ~]$ ssh root@10.42.0.85
root@10.42.0.85's password: 
Last login: Thu May 17 09:07:37 2018
ABRT has detected 3 problem(s). For more info run: abrt-cli list --since 1526562457
[root@vmCentOS75Wine ~]# 
This would imply that root connection over ssh is allowed by default. When I looked in /etc/ssh/sshd_config on the remote machine I found this line commented out

Code: Select all

#PermitRootLogin yes
That would make me think that the root access is NOT allowed by default and that I would have to consciously enable it. However, that does not seem to be the case. If I change the referenced line to "PermitRootLogin no" and restart ssh I find that root cannot connect - as expected.

Just curious.

Ken

User avatar
avij
Retired Moderator
Posts: 3046
Joined: 2010/12/01 19:25:52
Location: Helsinki, Finland
Contact:

Re: root access by ssh - enabled by default or not?

Post by avij » 2018/11/27 18:15:24

taylorkh wrote:
2018/11/27 18:06:03
When I looked in /etc/ssh/sshd_config on the remote machine I found this line commented out

Code: Select all

#PermitRootLogin yes
That would make me think that the root access is NOT allowed by default and that I would have to consciously enable it. However, that does not seem to be the case. If I change the referenced line to "PermitRootLogin no" and restart ssh I find that root cannot connect - as expected.
There's this at the top of sshd_config:

Code: Select all

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.
So the PermitRootLogin is enabled by default.

Some of the security profiles that you can select in the installer can change the PermitRootLogin setting at install time, though.

You are right that password auth for root user should indeed be disabled by anyone who cares about their system at all.

Also, for reference, here's a quote from man sshd_config:
PermitRootLogin

Specifies whether root can log in using ssh(1). The argument must be yes, prohibit-password, without-password, forced-commands-only, or no. The default is yes.

If this option is set to prohibit-password or without-password, password and keyboard-interactive authentication are disabled for root.

If this option is set to forced-commands-only, root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root.

If this option is set to no, root is not allowed to log in.

taylorkh
Posts: 534
Joined: 2010/11/24 15:08:33
Location: North Carolina, USA

Re: root access by ssh - enabled by default or not?

Post by taylorkh » 2018/11/27 19:28:50

Thanks avij,

As ssh login by root is bad, I had never tried it before. And thanks for pointing out the "strategy." I have never done much with sshd_config. The only thing I typically tweak is MaxAuthTries which I have to bump up as the gnome (or mate) keyring process creates a key for each machine I wish to connect to and when I connect it tries every key until it finds one which works. I have found that after adding 5 or 6 keys I can not connect to the next server for which I create a key. "too many failed logons" or something similar is returned. Bumping up the MaxAuthTries value is a (poor) workaround. I believe it has a value of 6 and is commented out as installed. Per the strategy I guess 6 is the default value.

Ken

Post Reply