LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-05-2011, 08:28 PM   #1
YellowSnowIsBad
Member
 
Registered: Oct 2010
Posts: 48

Rep: Reputation: Disabled
ssh & root


hey, I've heard that you shouldn't allow root access over ssh; what's the big deal?
if a user account who has sudo privileges is cracked already, what's the difference?


I allow root access over ssh, but I use a 30 character random password and disable all other accounts. Is this unsafe?

Thanks.
 
Old 01-05-2011, 08:48 PM   #2
pljvaldez
LQ Guru
 
Registered: Dec 2005
Location: Somewhere on the String
Distribution: Debian Wheezy (x86)
Posts: 6,094

Rep: Reputation: 271Reputation: 271Reputation: 271
It's probably most secure to disable all users but one, setup ssh keys instead of relying on passwords, and then su to root manually once logged in. Google around for "harden ssh" or "securing ssh" and there's a lot of articles if you're concerned about it.

Also, as to sudo users, I use explicit sudo permissions in the sudoers file, not just giving people "ALL" access. I only give the sudo permissions for the things they need.
 
1 members found this post helpful.
Old 01-05-2011, 09:41 PM   #3
YellowSnowIsBad
Member
 
Registered: Oct 2010
Posts: 48

Original Poster
Rep: Reputation: Disabled
Thanks for the swift response. There are plenty of guides out there that explain how to set up keys etc, but none of them really explain why a remote root account is bad. None of them explain why it is necessary to login as a normal user and su, besides the obvious, that the root account is an easy target; if a 30 character password is in place or keys are setup, what is the big deal?

Thanks.
 
Old 01-06-2011, 01:24 AM   #4
ashish_neekhra
Member
 
Registered: Nov 2007
Posts: 67

Rep: Reputation: 4
Quote:
Originally Posted by YellowSnowIsBad View Post
Thanks for the swift response. There are plenty of guides out there that explain how to set up keys etc, but none of them really explain why a remote root account is bad. None of them explain why it is necessary to login as a normal user and su, besides the obvious, that the root account is an easy target; if a 30 character password is in place or keys are setup, what is the big deal?

Thanks.
Read this, it will surely clear all doubts.
 
Old 01-06-2011, 01:33 AM   #5
munavar
LQ Newbie
 
Registered: Dec 2010
Posts: 7

Rep: Reputation: 0
All Hackers no that root user must be there in system, that's y we need to avoid root access for security purpose.
 
Old 01-06-2011, 08:03 AM   #6
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416
Quote:
if a user account who has sudo privileges is cracked already, what's the difference?
I suspect you've become used to the moronic implementation of sudo that the *buntus use. In its original form, sudo is meant to allow root level access to specific commands only. Yes, it can be used to give blanket root access, but that really isn't the way it should be used.

As for allowing direct root access via ssh, the overall idea behind security is to put up as many barriers as reasonable between the bad guys and a system compromise. By logging in as a normal user, you reduce the chances that a man-in-the-middle attack might successfully grab roots password. And by proper use of sudo, you don't have to do things like distribute the root keys/password to others who might need root access. Generally, the idea is that you should only use root when it is absolutely, positively essential to get the job done.
 
Old 01-06-2011, 08:11 AM   #7
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 13.1
Posts: 1,326

Rep: Reputation: 253Reputation: 253Reputation: 253
In addition to Hangdog42's comment: /etc/sudoers is in some distributions setup to use the password of the user to grant root access. But it can be setup to ask for the real root password instead:

Code:
Defaults targetpw   # ask for the password of the target user i.e. root
Hence you first have to get access to the machine with one password/passphrase, then enter a second for the root account.
 
Old 01-06-2011, 12:24 PM   #8
YellowSnowIsBad
Member
 
Registered: Oct 2010
Posts: 48

Original Poster
Rep: Reputation: Disabled
Thanks, you have answered all my questions.
 
Old 01-06-2011, 12:32 PM   #9
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416
Quote:
Originally Posted by Reuti View Post
In addition to Hangdog42's comment: /etc/sudoers is in some distributions setup to use the password of the user to grant root access. But it can be setup to ask for the real root password instead:.

I'd argue this is a horrible idea. Really, the whole point behind sudo is to allow specific root access to certain commands without distributing the root password all over the place. By implementing sudo this way, root's password also has to be distributed, which kind of defeats the purpose of sudo.
 
Old 01-06-2011, 01:26 PM   #10
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 13.1
Posts: 1,326

Rep: Reputation: 253Reputation: 253Reputation: 253
Quote:
Originally Posted by Hangdog42 View Post
I'd argue this is a horrible idea. Really, the whole point behind sudo is to allow specific root access to certain commands without distributing the root password all over the place. By implementing sudo this way, root's password also has to be distributed, which kind of defeats the purpose of sudo.
Yes/no. In fact the targetpw should be the default IMO, and for certain user/commands combinations which you set up you can specify NOPASSWD: in /etc/sudoers or ask for the user's password again for certain command aliases:

Code:
Defaults targetpw   # ask for the password of the target user i.e. root
Defaults!MYCOMMANDS !targetpw
 
Old 01-07-2011, 07:55 AM   #11
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416
Quote:
Originally Posted by Reuti
Yes/no. In fact the targetpw should be the default IMO, and for certain user/commands combinations which you set up you can specify NOPASSWD: in /etc/sudoers or ask for the user's password again for certain command aliases:
Can I ask your reasoning behind this? To my way of thinking, keeping the root password secret is the paramount reason for using sudo. Even if you use NOPASSWD or negate targetpw for certain commands, it kind of puts you back in the same situation as not using targetpw in the first place.

Sorry, I'm not trying to be a pain, I'm honestly trying to understand your approach.
 
1 members found this post helpful.
Old 01-07-2011, 09:48 AM   #12
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 13.1
Posts: 1,326

Rep: Reputation: 253Reputation: 253Reputation: 253
Yep. It's just a safety precaution, in case some default rule in the distribution would allow instant root access for everyone otherwise by his own password.

To have all this settings not scattered around in /etc/sudoers, I would even prefer that it must be specified for each rule, which would mean to have besides NOPASSWD: also the options TARGET_PW: and USER_PW: as tag.
 
Old 01-07-2011, 02:26 PM   #13
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 416Reputation: 416Reputation: 416Reputation: 416Reputation: 416
Thanks for clarifying your thinking.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
The difference in settings: console from desktop & ssh as DISPLAY not set when ssh in wikapuki Linux - Newbie 10 07-02-2010 10:44 AM
root terminal has different bash config when I ssh in vs su from another ssh account stardotstar Linux - General 4 07-01-2010 07:24 PM
Chroot SSH problem: ssh working, not SFTP & SCP. NaCo Linux - Security 3 02-01-2009 03:23 AM
How do I access "Root" & Root Privileges? Thouroughly Confused & Frustrated! geotev Linux - Networking 2 08-06-2007 06:58 PM
[putty&ssh] Who is really good & expert in ssh https tunnelling and firewalling ? Xeratul Linux - General 12 12-03-2006 04:22 AM


All times are GMT -5. The time now is 07:03 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration