Is there any simple way of restricting ssh logins to a system to prevent remote root logins? I'd like to do this to add a little more security so that one has to login as a non-root user and *then* su to root (if you want root privileges for some reason). This would mean that an intruder would need to guess/hack two passwords to get root access. -- Chris Green (chris@areti.co.uk) "Never ascribe to malice that which can be explained by incompetence."
On Friday 20 May 2005 8:46 pm, Chris Green wrote:
Is there any simple way of restricting ssh logins to a system to prevent remote root logins?
I am actually a little shocked that this isn't the default setting for the ssh server on your distro. Go to (on my system at least, yours may vary in path) /etc/ssh/sshd_config and change or insert the following line. PermitRootLogin no Restart the sshd dameon and off you go, actually the way this is handled by ssh is that it will still appear to accept a root login attempt but reject even the correct password.
On Fri, May 20, 2005 at 10:57:49PM +0100, Wayne Stallwood wrote:
On Friday 20 May 2005 8:46 pm, Chris Green wrote:
Is there any simple way of restricting ssh logins to a system to prevent remote root logins?
I am actually a little shocked that this isn't the default setting for the ssh server on your distro. Go to (on my system at least, yours may vary in path) /etc/ssh/sshd_config and change or insert the following line.
PermitRootLogin no
Restart the sshd dameon and off you go, actually the way this is handled by ssh is that it will still appear to accept a root login attempt but reject even the correct password.
Thanks, you and the other reply, now done. -- Chris Green (chris@areti.co.uk) "Never ascribe to malice that which can be explained by incompetence."
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Wayne Stallwood <ALUGlist@digimatic.plus.com> wrote:
I am actually a little shocked that this isn't the default setting for the ssh server on your distro.
I'm not, fwicr the debian policy and upstream policy changed this default setting a couple of years back, especially if it was ssh2. There are good reasons to leave root being able to login via ssh... in some cases root might be the *only* real account on the box, with any others pulled in via nis, or ldap or from a database etc... if this goes down, how are you going to get in to the machine to repair it? Oh, and often, you might have /home mounted over NFS or similar, and users may not be permitted to login if their home directory "doesn't exist", root can. <snippity /> Right - and with that, I shall wander off to be a little hungover again :) Thanks, - -- Brett Parker web: http://www.sommitrealweird.co.uk/ email: iDunno@sommitrealweird.co.uk -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFCkGEyEh8oWxevnjQRAvcjAJ48QPXfqcquaO85A562VlKarf7YUwCgwzYn N3ZHOQ18ln4w9g0skuxqyoM= =g6Z8 -----END PGP SIGNATURE-----
participants (4)
-
Brett Parker -
Chris Green -
Darren -
Wayne Stallwood