LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 06-19-2004, 06:28 PM   #1
moger
Member
 
Registered: Sep 2002
Distribution: Fedora Core 3
Posts: 247

Rep: Reputation: 30
Disabling root login via SSH


By default, isn't SSH set up to not allow root to log in via SSH? I thought I heard that somewhere. Then I was reading an article that says in /etc/ssh/sshd_config to change "PermitRootLogin" from yes to no. I looked through that file and did not find a "PermitRootLogin" line. Can someone fill me in?
 
Old 06-19-2004, 08:27 PM   #2
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Just create a line that looks exactly like this:
PermitRootLogin no

Then kill sshd and restart it (or kill it with the -HUP signal). Also, you'll want to confirm that your OS is actually using the default config file in /etc/ssh instead of one stuck somewhere else (examine your init scripts to make sure it's not using the -f flag to override the default config file).

I think some distros independently changed their shipping config files to disable root login by default, but the source distribution from OpenSSH.org has it enabled by default. The reason for this is so you can still login to a remote server after upgrading it (unexpectedly being locked out after an upgrade would be messy).

Best practices say that you should always disable remote root login and use some other method, such as sudo (once authenticated with a normal user).
 
Old 06-19-2004, 09:28 PM   #3
moger
Member
 
Registered: Sep 2002
Distribution: Fedora Core 3
Posts: 247

Original Poster
Rep: Reputation: 30
I did that and...

/etc/ssh/ssh_config: line 38: Bad configuration option: PermitRootLogin
/etc/ssh/ssh_config: terminating, 1 bad configuration options
 
Old 06-20-2004, 03:26 AM   #4
ppuru
Senior Member
 
Registered: Mar 2003
Location: Beautiful BC
Distribution: RedHat & clones, Slackware, SuSE, OpenBSD
Posts: 1,791

Rep: Reputation: 46
actually that line goes in /etc/ssh/sshd_config
 
Old 06-20-2004, 06:15 AM   #5
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Yes, make sure you put that in sshd_config, and almost make sure your OpenSSH version is 3.7.1p2 or newer.
 
Old 06-20-2004, 09:23 AM   #6
moger
Member
 
Registered: Sep 2002
Distribution: Fedora Core 3
Posts: 247

Original Poster
Rep: Reputation: 30
Quote:
Originally posted by chort
Yes, make sure you put that in sshd_config, and almost make sure your OpenSSH version is 3.7.1p2 or newer.
# $OpenBSD: ssh_config,v 1.19 2003/08/13 08:46:31 markus Exp $

But according to swaret (slack's update tool), I have openssh-3.8.1p1-i486-1. hmmm
 
Old 06-20-2004, 12:50 PM   #7
tuxq
Member
 
Registered: Feb 2003
Location: USA
Distribution: Slackware-current
Posts: 47

Rep: Reputation: 15
He said that version or newer :P
There are a lot of exploits for older OpenSSH Daemons.
One nasty one where someone could use a modified ssh client and gain root =)
 
Old 06-20-2004, 03:55 PM   #8
moger
Member
 
Registered: Sep 2002
Distribution: Fedora Core 3
Posts: 247

Original Poster
Rep: Reputation: 30
Quote:
Originally posted by tuxq
He said that version or newer :P
There are a lot of exploits for older OpenSSH Daemons.
One nasty one where someone could use a modified ssh client and gain root =)
Yeah but what I was saying is, why does my ssh config file say v 1.19 yet my slackware system say v3.8.1 is installed?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Disable Root login via ssh UltraSoul Solaris / OpenSolaris 3 02-09-2007 02:18 AM
Allow upgrade to root after login ssh bourbon_beast Linux - Security 2 10-27-2005 04:21 AM
ssh only allow root login chongluo Linux - Newbie 1 10-28-2004 08:51 AM
Disabling the chroot in proftpd and enabling root logins on ssh/proftpd jon_k Linux - Software 1 06-16-2004 10:27 AM
Only root can login via ssh cmisip Linux - Security 5 04-26-2003 05:16 AM


All times are GMT -5. The time now is 02:38 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration