LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-25-2010, 02:02 PM   #1
Hiroshi
LQ Newbie
 
Registered: Apr 2010
Posts: 20

Rep: Reputation: 0
How to prohibit direct root login (ssh or console)


Hi All,

I added the following lines to /etc/ssh/ssh_config file:

PermitRootLogin no
DenyUsers root
DenyGroups root

And then restarted my sshd as followd:

# /etc/init.d/sshd restart

Then, I exited out of the box and logged back in as root thru ssh.

1- What am I doing wrong?
2- How do I restrict root direct console login?

Many thanks in advance.
 
Old 08-25-2010, 02:07 PM   #2
sycamorex
LQ Veteran
 
Registered: Nov 2005
Location: London
Distribution: Slackware64-current
Posts: 5,578
Blog Entries: 1

Rep: Reputation: 1033Reputation: 1033Reputation: 1033Reputation: 1033Reputation: 1033Reputation: 1033Reputation: 1033Reputation: 1033
You need to modify sshd_config not ssh_config
 
Old 08-25-2010, 02:10 PM   #3
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,026
Blog Entries: 5

Rep: Reputation: 789Reputation: 789Reputation: 789Reputation: 789Reputation: 789Reputation: 789Reputation: 789
/etc/securetty lists the devices that allow root login. You can delete everything but console from it.

I would NOT try to restrict root login on the console as in many situations that is the only way to get in to fix things. You can setup sudo and require that admins login as themselves then "sudo su -" by policy. You can setup mechanisms to notify other systems when a direct root login occurs and make folks explain why they had to do that but restricting it from console is a bad idea.
 
Old 08-25-2010, 02:20 PM   #4
Hiroshi
LQ Newbie
 
Registered: Apr 2010
Posts: 20

Original Poster
Rep: Reputation: 0
MensaWater - Thanks for your reply. Do I have to restart any daemon for this to take effect? I just edited the file and commented everything out except console (like you suggested), logged out and logged back in. root was still allowed to ssh in directly.

sycamorex - I'll try that next; thanks.
 
Old 08-25-2010, 02:20 PM   #5
frieza
Senior Member
 
Registered: Feb 2002
Location: harvard, il
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,111

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
problem is physical access to a machine trumps any security measures you have in place so you're never going to truely be able to totally restrict root access from someone sitting in front of the machine, granted preventing root from logging in remotely might be a good idea, although ubuntu and osX for instance have the root account disabled by default in some manner (with the exception of single user mode which of course always runs as root) and force everyone to use sudo to access root type functions, so perhaps the trick is to find out how ubuntu and osX does it (probably by assigning some really strong random password and throwing out the key so to speak so the password to root can only be changed in single user mode or by using sudo, and nobody knows the root password so nobody can log in as root) of course this doesn't work if your system is set to chalange for root's password when booting into single user mode (though i think most don't by default)

and no i don't believe you do have to restart anything after editing /etc/securetty
 
Old 08-25-2010, 02:44 PM   #6
Hiroshi
LQ Newbie
 
Registered: Apr 2010
Posts: 20

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by sycamorex View Post
You need to modify sshd_config not ssh_config
sycamorex - Right on, that fixed it; thanks.
 
Old 08-25-2010, 02:46 PM   #7
Hiroshi
LQ Newbie
 
Registered: Apr 2010
Posts: 20

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by MensaWater View Post
/etc/securetty lists the devices that allow root login. You can delete everything but console from it.

I would NOT try to restrict root login on the console as in many situations that is the only way to get in to fix things. You can setup sudo and require that admins login as themselves then "sudo su -" by policy. You can setup mechanisms to notify other systems when a direct root login occurs and make folks explain why they had to do that but restricting it from console is a bad idea.
MensaWater - What's wrong with commenting out console from /etc/securetty file and force root to login as a regular account on the console (thru kvm switch that is) and su to root once logged in? Is this workable?
 
Old 08-25-2010, 02:52 PM   #8
Hiroshi
LQ Newbie
 
Registered: Apr 2010
Posts: 20

Original Poster
Rep: Reputation: 0
frieza - Thanks for your reply. Our server room is physically very secured, so I don't worry about someone hacking to one of my servers by sitting at the console in from of the server. Currently there are two ways to remotely login to our servers as root:

1- login to one of our kvm switches thru an internet browser, and login as root on the console.

2- ssh as root directly which I just closed off.
 
Old 08-25-2010, 02:54 PM   #9
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,026
Blog Entries: 5

Rep: Reputation: 789Reputation: 789Reputation: 789Reputation: 789Reputation: 789Reputation: 789Reputation: 789
Quote:
Originally Posted by Hiroshi View Post
MensaWater - What's wrong with commenting out console from /etc/securetty file and force root to login as a regular account on the console (thru kvm switch that is) and su to root once logged in? Is this workable?
The problem is that sometimes regular accounts aren't available or won't load (e.g. due to issues with home filesystem or quota checking not working). Not leaving yourself a way to get in when most things aren't working is apt to cause you headaches. However as noted by another poster once you have physical access to the server there are often ways to get around any security (especially that stored on the HD itself) such as by booting from a live CD.
 
Old 08-25-2010, 02:58 PM   #10
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 6,026
Blog Entries: 5

Rep: Reputation: 789Reputation: 789Reputation: 789Reputation: 789Reputation: 789Reputation: 789Reputation: 789
Quote:
Originally Posted by Hiroshi View Post
MensaWater - Thanks for your reply. Do I have to restart any daemon for this to take effect? I just edited the file and commented everything out except console (like you suggested), logged out and logged back in. root was still allowed to ssh in directly.
Since you fixed it with sycamorex's solution this is moot but I'm posting it for completeness.

You can make sshd respect /etc/securetty by modifying pam. On my CentOS5 (and therefore also on RHEL5) the file to modify would be /etc/pam.d/sshd.

That file might look like:
Code:
#%PAM-1.0
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

If you insert a line for pam_securetty.so as shown below it would make sshd use securetty.
Code:
#%PAM-1.0
auth       include      system-auth
account    required     pam_securetty.so
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so
The pam configuration may be in a different location depending on your distro.

Last edited by MensaWater; 08-25-2010 at 03:00 PM.
 
  


Reply

Tags
security, ssh, sshd


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Can't login over console, but can SSH in djbob Linux - General 2 07-16-2009 01:50 PM
would like to disable direct root login using ssh/sftp rholme Linux - Newbie 4 05-17-2008 08:12 PM
users cant able to login in any console,but root can login. skumar.v Linux - Security 1 04-19-2008 07:57 AM
Disabling direct console login: forcing su nitinatindore Linux - Security 4 05-09-2007 01:10 AM
How to :: Securing SSH: protocol SSH2 and hiding the direct access of root sysconfig Red Hat 3 09-07-2006 09:30 AM


All times are GMT -5. The time now is 08:59 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration