LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   How to prohibit direct root login (ssh or console) (http://www.linuxquestions.org/questions/linux-security-4/how-to-prohibit-direct-root-login-ssh-or-console-828431/)

Hiroshi 08-25-2010 01:02 PM

How to prohibit direct root login (ssh or console)
 
Hi All,

I added the following lines to /etc/ssh/ssh_config file:

PermitRootLogin no
DenyUsers root
DenyGroups root

And then restarted my sshd as followd:

# /etc/init.d/sshd restart

Then, I exited out of the box and logged back in as root thru ssh.

1- What am I doing wrong?
2- How do I restrict root direct console login?

Many thanks in advance.

sycamorex 08-25-2010 01:07 PM

You need to modify sshd_config not ssh_config

MensaWater 08-25-2010 01:10 PM

/etc/securetty lists the devices that allow root login. You can delete everything but console from it.

I would NOT try to restrict root login on the console as in many situations that is the only way to get in to fix things. You can setup sudo and require that admins login as themselves then "sudo su -" by policy. You can setup mechanisms to notify other systems when a direct root login occurs and make folks explain why they had to do that but restricting it from console is a bad idea.

Hiroshi 08-25-2010 01:20 PM

MensaWater - Thanks for your reply. Do I have to restart any daemon for this to take effect? I just edited the file and commented everything out except console (like you suggested), logged out and logged back in. root was still allowed to ssh in directly.

sycamorex - I'll try that next; thanks.

frieza 08-25-2010 01:20 PM

problem is physical access to a machine trumps any security measures you have in place so you're never going to truely be able to totally restrict root access from someone sitting in front of the machine, granted preventing root from logging in remotely might be a good idea, although ubuntu and osX for instance have the root account disabled by default in some manner (with the exception of single user mode which of course always runs as root) and force everyone to use sudo to access root type functions, so perhaps the trick is to find out how ubuntu and osX does it (probably by assigning some really strong random password and throwing out the key so to speak so the password to root can only be changed in single user mode or by using sudo, and nobody knows the root password so nobody can log in as root) of course this doesn't work if your system is set to chalange for root's password when booting into single user mode (though i think most don't by default)

and no i don't believe you do have to restart anything after editing /etc/securetty

Hiroshi 08-25-2010 01:44 PM

Quote:

Originally Posted by sycamorex (Post 4077451)
You need to modify sshd_config not ssh_config

sycamorex - Right on, that fixed it; thanks.

Hiroshi 08-25-2010 01:46 PM

Quote:

Originally Posted by MensaWater (Post 4077456)
/etc/securetty lists the devices that allow root login. You can delete everything but console from it.

I would NOT try to restrict root login on the console as in many situations that is the only way to get in to fix things. You can setup sudo and require that admins login as themselves then "sudo su -" by policy. You can setup mechanisms to notify other systems when a direct root login occurs and make folks explain why they had to do that but restricting it from console is a bad idea.

MensaWater - What's wrong with commenting out console from /etc/securetty file and force root to login as a regular account on the console (thru kvm switch that is) and su to root once logged in? Is this workable?

Hiroshi 08-25-2010 01:52 PM

frieza - Thanks for your reply. Our server room is physically very secured, so I don't worry about someone hacking to one of my servers by sitting at the console in from of the server. Currently there are two ways to remotely login to our servers as root:

1- login to one of our kvm switches thru an internet browser, and login as root on the console.

2- ssh as root directly which I just closed off.

MensaWater 08-25-2010 01:54 PM

Quote:

Originally Posted by Hiroshi (Post 4077501)
MensaWater - What's wrong with commenting out console from /etc/securetty file and force root to login as a regular account on the console (thru kvm switch that is) and su to root once logged in? Is this workable?

The problem is that sometimes regular accounts aren't available or won't load (e.g. due to issues with home filesystem or quota checking not working). Not leaving yourself a way to get in when most things aren't working is apt to cause you headaches. However as noted by another poster once you have physical access to the server there are often ways to get around any security (especially that stored on the HD itself) such as by booting from a live CD.

MensaWater 08-25-2010 01:58 PM

Quote:

Originally Posted by Hiroshi (Post 4077471)
MensaWater - Thanks for your reply. Do I have to restart any daemon for this to take effect? I just edited the file and commented everything out except console (like you suggested), logged out and logged back in. root was still allowed to ssh in directly.

Since you fixed it with sycamorex's solution this is moot but I'm posting it for completeness.

You can make sshd respect /etc/securetty by modifying pam. On my CentOS5 (and therefore also on RHEL5) the file to modify would be /etc/pam.d/sshd.

That file might look like:
Code:

#%PAM-1.0
auth      include      system-auth
account    required    pam_nologin.so
account    include      system-auth
password  include      system-auth
session    optional    pam_keyinit.so force revoke
session    include      system-auth
session    required    pam_loginuid.so


If you insert a line for pam_securetty.so as shown below it would make sshd use securetty.
Code:

#%PAM-1.0
auth      include      system-auth
account    required    pam_securetty.so
account    required    pam_nologin.so
account    include      system-auth
password  include      system-auth
session    optional    pam_keyinit.so force revoke
session    include      system-auth
session    required    pam_loginuid.so

The pam configuration may be in a different location depending on your distro.


All times are GMT -5. The time now is 11:18 PM.