During a dist-upgrade to Jessie the installer informed me that Debian recommended only passwordless root login over SSH. And the question asked was if I agreed to changing SSH so that only passwordless logins for root were allowed.

Now since years I disable any type of SSH root login on any Debian install.

Which is sometimes inconvenient. Mostly because it is hard to do some rsync copy or backup of files which are only accessible by root. My workaround is to temporarily enable root login on the destination, and initiate the rsync from the source.

My surprise is that Debian proposes to allow root login at all.

Is root login not a security risk, even when it is key based? Is it safe to do anyway?

jlinkels

Using pubkey auth only disables password guessing and requires you to possess both the private key and the pass phrase (deities smite those who use pass phrase-less keys).


All SSH logins should be subject to common restrictions like "from=" declarations in ~/.ssh/authorized_keys, (to be deprecated) tcp_wrappers, PAM listfile, /etc/security/access.conf, firewall static white listing and reactive methods like fail2ban. Note using multiple layers is suggested.

And your house should be a concrete bunker with reinforced doors, triple locks, bars on the windows and a team of armed guards patrolling the perimeter.

In the real world, some tradeoffs are made between practicality and security.

I know you can do better than that. So instead of stating the obvious show us your practical implementation.

How can you run (automated) scripts with passworded private keys though? Maybe this is what descendant_command took objection to.

So as I understand it, it is an additional security measure, but still not recommended.

jlinkels

Obviously denying root logins is best. But if you are forced to use root login then pubkey auth-only access provides good protection. I may SSH out of a machine as root user but that doesn't require the remote user to be root as well. And I never SSH in as root because there's nothing I transfer that I can't chown appropriately later on.

1 members found this post helpful.

another reason to deny remote SSH logins to the root account is to prevent the loss of accountability. The user who uses the remote SSH root login is not identified in the logs by his/her account credentials. But by requiring users to first remote login with their user credentials, and then accessing the root account via su or sudo, the logfiles maintain tracking of users both by access to a remote host and then by access to the root account.

1 members found this post helpful.