Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Need help on how to enable direct login of root via ssh?
I find and info that i just need to update /etc/ssh/sshd_config, but i couldn't see that file in the location...
Please help.
Many Thanks,
Rhea
Click here to see the post LQ members have rated as the most helpful post in this thread.
What distro are you using, and what version of sshd do you have installed? Can I also ask why you would want to do this? Having it configured for root logins is a potential security risk, and I highly recommend to NOT have it configured like that.
Seriously, listen to corp769 and don't do this. We recently dealt with an intrusion where is is likely the attacker got access by guessing the root password for ssh. Once compromised, that machine was used to probe for other machines that allowed root access. There was a file containing a loooooooong list of IP addresses with valid root passwords. Those machines are probably now compromised as well.
Seriously, listen to corp769 and don't do this. We recently dealt with an intrusion where is is likely the attacker got access by guessing the root password for ssh. Once compromised, that machine was used to probe for other machines that allowed root access. There was a file containing a loooooooong list of IP addresses with valid root passwords. Those machines are probably now compromised as well.
You REALLY don't want to do this.
Thanks man. I personally know of several occasions where because root access was allowed, sh*t got f*ck*d up..... But if the OP really wants to do this, then by all means, let him. We are here to recommend and give the *correct* advise, but it doesn't mean that he will listen to us.
I agree that this is something that should not be done, except in the most specific of circumstances. In this situation, the OP stated:
Quote:
I find and info that i just need to update /etc/ssh/sshd_config, but i couldn't see that file in the location
EngnrRG, I mean this in the most humble of ways and intend no disrespect, but if you are having trouble with this portion of the process, it is an indication that you don't have a sufficient grasp of Linux configuration to understand the implications and risks associated with the desired action.
If you would please, tell us why you want to permit direct root login and what problem you are trying to solve. Perhaps there is another way that would entail less risk? My initial suspicion would be that you have some form of permissions problem that you are trying to address. SSH via root should be unnecessary as a user can simply login and then su to root and applications have ways to work around direct root login.
The best way to configure ssh is to set it up so that it requires the use of digital certificates (which you then password-protect), and .. very importantly .. so that it will not "helpfully" keep offering less-and-less secure alternatives such as "passwords."
As ssh is typically deployed, the "s" is a serious misnomer. It is, in fact, "an ass-to-the-wind wide open" shell that (oh, by the way...) happens to encrypt its network traffic. It's an avenue by which "anyone in the world, anywhere in the world" can brute-force passwords.
There should be one and only one way that anyone can get through your secure shell: they must have a badge. In other words, an approved-by-you and issued-by-you personal certificate, encrypted using a password that they alone possess. If you have 100 different workstations that can get to your box, then, yup... you're managing 100 different certificates somehow, but c'est la guerre. If "workstation #93" gets stolen at the airport security checkpoint, you merely have to invalidate "certificate #93" and the door is slammed shut. (Even if the thief somehow knows what the password is that was used to encrypt that certificate, "the badge has been revoked" and it is therefore quite useless.)
VPN, if you have that, must be the set up the same way. Don't use passwords, except as a means of securing individually issued certificates.
EngnrRG, I mean this in the most humble of ways and intend no disrespect, but if you are having trouble with this portion of the process, it is an indication that you don't have a sufficient grasp of Linux configuration to understand the implications and risks associated with the desired action.
More eloquent than I could have stated it.
If you really have to ask, you don't want to do this. It's in place for your safety.
I agree w/ all the warnings so far & have given a bunch of rep accordingly.
Now, please answer Noway2's question.
Quote:
Originally Posted by Noway2
...
If you would please, tell us why you want to permit direct root login and what problem you are trying to solve. Perhaps there is another way that would entail less risk? My initial suspicion would be that you have some form of permissions problem that you are trying to address. SSH via root should be unnecessary as a user can simply login and then su to root and applications have ways to work around direct root login.
If the file /etc/ssh/sshd_config isn’t there, the defaults will be used I think - so create it. Nevertheless, it’s possible to restrict root-login to be allowed only from certain machines (AllowUsers root@10.0.2.1) and by ssh-passphrase (and the public key) instead of a plain password (PermitRootLogin without-password).
Please hold further answers until we know if EngnrRG is going to respond -- we really, really need to know if we're dealing w/ a user who doesn't understand the dangers s/he may be exposing him/herself to. I wish I could find a workable metaphor that would liken this to loading a hand gun for someone who is planning to shoot him/herself in the foot.
Seriously, listen to corp769 and don't do this. We recently dealt with an intrusion where is is likely the attacker got access by guessing the root password for ssh. Once compromised, that machine was used to probe for other machines that allowed root access. There was a file containing a loooooooong list of IP addresses with valid root passwords. Those machines are probably now compromised as well.
Just because one network was totally screwed up does not mean direct root cannot be used elsewhere. It's better to just not use passwords, and to instead use encrypted SSH certificates (e.g. ssh-agent). Even then, there are times and places where automated root access may be needed (for example, rsync over ssh system backups). But you do need to understand what all is going on to make the right choices for your computers. And if you do understand that, you would not need to ask online how to get direct root access.
thanks for all the advise. My problem was resolved... Actually, we don't do this.
This is just an excemption of a server which i just build... I belong to a project team which we do the OS built and for this project, we only need to install OS and they will do the rest like access and all, and since they don't have access to the console, I need to allow direct root login to them and they will do the rest...
and since they don't have access to the console, I need to allow direct root login to them
Since the subject of this thread is "direct root access", I would like to call exception on this as there have been far too many cases in the security forum where systems have been lost as a result of this practice. For that matter, there are far too many threads where the operator is unnecessarily working as root as a routine.
@EngnrRG, please understand that my comments are not directed at you specifically as this is a generalized problem. I would ask that you take into consideration what I am about to say, however.
Root, followed by Nagios and variations of Phpmyadmin are about the three most commonly attempted brute force users. While using key based authentication does help greatly, it is not infallible.
While I do understand and appreciate that there are limited cases where this may be needed, it seems as if every thread on this subject is an exception, which is too much of a stretch. Even with rsync there are ways to set up accounts and permissions to perform this function without enabling direct ssh root login. In the cases where it is required, it is important, if not imperative, that it be restricted in some other fashion, such as limited to a local, private LAN or from a particular IP, etc. Once logged in as a normal user, it is simple to issue the command "su -" to become root and by using this method you have eliminated the number one vulnerability exploit from SSH. Perpetually running and logging in as root is a sign that you haven't established a proper permissions structure.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.