[SOLVED] Debian now only allows passwordless root login over SSH
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,195
Rep:
Debian now only allows passwordless root login over SSH
During a dist-upgrade to Jessie the installer informed me that Debian recommended only passwordless root login over SSH. And the question asked was if I agreed to changing SSH so that only passwordless logins for root were allowed.
Now since years I disable any type of SSH root login on any Debian install.
Which is sometimes inconvenient. Mostly because it is hard to do some rsync copy or backup of files which are only accessible by root. My workaround is to temporarily enable root login on the destination, and initiate the rsync from the source.
My surprise is that Debian proposes to allow root login at all.
Is root login not a security risk, even when it is key based? Is it safe to do anyway?
Is root login not a security risk, even when it is key based?
Using pubkey auth only disables password guessing and requires you to possess both the private key and the pass phrase (deities smite those who use pass phrase-less keys).
Quote:
Originally Posted by jlinkels
Is it safe to do anyway?
All SSH logins should be subject to common restrictions like "from=" declarations in ~/.ssh/authorized_keys, (to be deprecated) tcp_wrappers, PAM listfile, /etc/security/access.conf, firewall static white listing and reactive methods like fail2ban. Note using multiple layers is suggested.
And your house should be a concrete bunker with reinforced doors, triple locks, bars on the windows and a team of armed guards patrolling the perimeter.
In the real world, some tradeoffs are made between practicality and security.
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,195
Original Poster
Rep:
Quote:
Originally Posted by unSpawn
All SSH logins should be subject to common restrictions like "from=" declarations in ~/.ssh/authorized_keys, (to be deprecated) tcp_wrappers, PAM listfile, /etc/security/access.conf, firewall static white listing and reactive methods like fail2ban. Note using multiple layers is suggested.
So as I understand it, it is an additional security measure, but still not recommended.
Obviously denying root logins is best. But if you are forced to use root login then pubkey auth-only access provides good protection. I may SSH out of a machine as root user but that doesn't require the remote user to be root as well. And I never SSH in as root because there's nothing I transfer that I can't chown appropriately later on.
another reason to deny remote SSH logins to the root account is to prevent the loss of accountability. The user who uses the remote SSH root login is not identified in the logs by his/her account credentials. But by requiring users to first remote login with their user credentials, and then accessing the root account via su or sudo, the logfiles maintain tracking of users both by access to a remote host and then by access to the root account.
Last edited by thumbelina; 05-20-2015 at 04:48 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.