LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-16-2008, 08:55 AM   #1
davidstvz
Member
 
Registered: Jun 2008
Posts: 405

Rep: Reputation: 30
How Bad/Risky Is It to SSH as Root?


I hate typing sudo and password a million times so I just login as root. I know this is generally frowned upon, but how bad an idea is this really? I never sit in front of the actual servers as its cramped as hell and my desk is much nicer with dual wide screen monitors and such.
 
Old 08-16-2008, 09:23 AM   #2
matthewg42
Senior Member
 
Registered: Oct 2003
Location: UK
Distribution: Kubuntu 12.10 (using awesome wm though)
Posts: 3,530

Rep: Reputation: 63
You might find this post helpful.
 
Old 08-16-2008, 09:38 AM   #3
trickykid
LQ Guru
 
Registered: Jan 2001
Posts: 24,149

Rep: Reputation: 234Reputation: 234Reputation: 234
Also, if you're really that picky about using sudo and typing in the users password, just configure it to be passwordless. Sudo is powerful, you really should limit it to the commands you need to run only or if you really need full control, allow it to do everything but change root's password or the like.

Or the last resort if you're really lazy about it is, login as normal user and then just use sudo to su to root, at least that way you're not passing root's login remotely.
 
Old 08-16-2008, 09:55 AM   #4
davidstvz
Member
 
Registered: Jun 2008
Posts: 405

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by trickykid View Post
Also, if you're really that picky about using sudo and typing in the users password, just configure it to be passwordless. Sudo is powerful, you really should limit it to the commands you need to run only or if you really need full control, allow it to do everything but change root's password or the like.

Or the last resort if you're really lazy about it is, login as normal user and then just use sudo to su to root, at least that way you're not passing root's login remotely.
I'm not using a GUI at least. dudo wouldn't be so bad if the root password wasn't so bad (it's hard to type a random string of upper and lower case letters with numbers and punctuation). Unfortunately, I really don't want anything slowing me down at the moment.

Maybe I'll switch to normal login and sudo su as you said.
 
Old 08-16-2008, 12:35 PM   #5
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 670Reputation: 670Reputation: 670Reputation: 670Reputation: 670Reputation: 670
Root is a known user and will be a target of brute force attacks. Just so that you understand, the ssh server should not allow root logins at all. Even if you log in as a normal user, and then su to root, you will be better off. If you don't use sudo, then your commands will not be logged which can be helpful if more than one user knows the root password and you need to find out when a change was made.

Sudo is often used to be able to distribute duties among different people or groups without needing to distribute the root password. It can also control which commands are allowed, and will log each command. The advantage of not giving out the root password is obvious. If you don't need this type of access control or logging, then using "su" at the beginning of a session would be fine.

Ideally the server would use only public key authentication, with a passphrase and wouldn't allow root logins. Also, often PAM is configured to use the previous authentication in a session within a certain time period. So you may not need to re-enter the root password every time you use sudo. If all of the commands you are entering are administrative commands, then using "su" after logging in would make sense.

So using sudo is used to protect the root secret when you have several administrators. Not allowing remote root logins improves security from outside threats. IMHO, the former may not be as important if only one or two people administer a server. The later is very important because it helps protect against brute force attacks from non-administrative users (including employees or hacked computers on the LAN).

FYI. I find the "ssh-agent" and "ssh-add" commands very useful. I will ssh from one computer to another fairly frequently. Using "eval $(ssh-agent)" and then "ssh-add", you only need to enter the secret pass-phrase once. When running the ssh-add command at the start of a session. The pass-phrase protects your secret key (on the client). If you own a laptop, and the key is stolen, it can't be used to log into a server without the passphrase. Since the passphrase unlocks the client's secret key, you can log into different servers as well without reentering the passphrase.

Last edited by jschiwal; 08-16-2008 at 12:52 PM.
 
Old 08-16-2008, 03:25 PM   #6
arizonagroovejet
Senior Member
 
Registered: Jun 2005
Location: England
Distribution: openSUSE, Fedora, CentOS
Posts: 1,078

Rep: Reputation: 195Reputation: 195
Quote:
Originally Posted by jschiwal View Post
Root is a known user and will be a target of brute force attacks. Just so that you understand, the ssh server should not allow root logins at all.
Very true. If you do want to be able to log in as root via ssh then you should restrict the IP addresses from which logins are accepted. It's easy enough to restrict it to just the IP address of your own machine or even just to the IP addresses used by your organisation.
 
Old 08-16-2008, 03:39 PM   #7
davidstvz
Member
 
Registered: Jun 2008
Posts: 405

Original Poster
Rep: Reputation: 30
Quote:
Originally Posted by arizonagroovejet View Post
Very true. If you do want to be able to log in as root via ssh then you should restrict the IP addresses from which logins are accepted. It's easy enough to restrict it to just the IP address of your own machine or even just to the IP addresses used by your organisation.
If su gives me exactly the same privileges as root, I will do it that way just to be safe. I'm already aware (because of a security monitoring program) that there are several hundred attempts on the root account every day.

Of course I guess I can't check the root email if I do that, but I could always have that forwarded somewhere.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
in DSL on HDD, compile from sources as apt-get is too risky? stabu DamnSmallLinux 1 04-14-2007 02:25 PM
hdparm risky parameters props666999 Slackware 2 03-08-2007 01:50 PM
add user to root group - risky? BroX Linux - Security 7 01-07-2005 12:10 PM
I have to ssh -l root to run root processes!? paul.nel Red Hat 3 11-15-2004 12:55 PM
bad ssh? joesbox Linux - Networking 6 03-19-2003 09:08 AM


All times are GMT -5. The time now is 04:08 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration