SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Since it's clear you don't know how sshd works, I'd like to point out that if you have a user "bob" with UID 0, then sshd will not allow you to log in using a password with the default of "PermitRootLogin prohibit-password". It looks at the UID, not the username.
Since it's clear you don't know how sshd works, I'd like to point out that if you have a user "bob" with UID 0, then sshd will not allow you to log in using a password with the default of "PermitRootLogin prohibit-password". It looks at the UID, not the username.
Yeah, I know that. I said it earlier. I was taking the mick.
Here's a blast from the past. What's in a name... well not a lot really. root/toor/a/fred/brian/kevin/jesus they all mean the same if passwd has them as uid 0.
<snip>
Nothing has changed though it seems, people are still obsessed with the name 'root' and how to secure it.
Quote:
I'm considering petitioning Pat as he's around to change the default 'root' name to Bob.
That'll stop the bad guys.
(Note: Nothing to do with SSH)
A few years ago I tried to increase security on some HP-UX and SunOS systems by creating an innocuous user name with ID=0 and giving the user name root an ID number with nobody type of permissions.
It worked...kind of. I reverted back to using root after a couple of weeks because most of the system administration maintenance scripts and application installation/update scripts only checked for the user name not the user ID number. It became tedious having to rewrite all the new installation/update scripts arriving every week for all of the programs we were running. I gave into convention and decided to use my extra energy elsewhere.
I remember at the time thinking the installation/update script authors were lazy by not properly checking for "god" access.
Last edited by TracyTiger; 02-03-2016 at 09:04 PM.
Reason: Typo
This was one amusing thread to read... usually it's a bit of TL;DR for me, but I kept reading for some reason.
I'd like to chip in a few cents, just to keep this going :-)
I like it how Dave started with ranting and now is in a state to be reasoned with. I understand your frustration, been there a few times when some defaults changed or things started to work differently "all of a sudden"; happens to all of us I suppose. Keeps things interesting, I guess.
Anyway, your prior claim that changing this default from "permissive" to "restrictive" does not make Slackware _less_ suitable for server/corporate environments, but acutally more... security is a big issue, certainly nowadays. And as Pat stated, the rant would've been worse if this was reverse(d).
Also, I think that Slackware still (and always will be, because this philosophy is so much in the heart of it) does the "it's your system, do with it what you want"... It's only a default, but you can still (easily) change it.
I recall systems like Yast, where one had to do a change manually, because it was not in the menus... and then running that dreaded Yast again reversed that manual change... And there have been more... heck, it was the same system: I had to uninstall almost everything to replace one kind of LDAP with another LDAP... because, heck: everything was eventually glued to that LDAP... about as far as the kernel. Give me Slackware any day! There will be some surprises, but none (I hope) I cannot overcome. It's my system, I can do with it what I want.
You know that realisation you get half way through the thread when it occurs to you that you're behaving like a dickead... well yes, I was angry, frustration at what seems a pointless change bought down the red-mist. It's pleasing to know someone obtained some amusement from it though.
I just did a slackpkg upgrade-all and locked myself out of my box.
I did change the PermitRootLogin back to yes and also tried the new default "PermitRootLogin prohibit-password"
The authorizedkey for root is not accepted anymore and the password (obviously) is not accepted.
fail2ban now disabled the ssh port for my ip for an hour.
What strikes me as a nuisance is that everytime I do a slackpkg upgrade-all I must be prepared to spend at least a few hours on troubleshooting all the things I customized and that were undone by the upgrades.
I just did a slackpkg upgrade-all and locked myself out of my box.
I did change the PermitRootLogin back to yes and also tried the new default "PermitRootLogin prohibit-password"
The authorizedkey for root is not accepted anymore and the password (obviously) is not accepted.
fail2ban now disabled the ssh port for my ip for an hour.
What strikes me as a nuisance is that everytime I do a slackpkg upgrade-all I must be prepared to spend at least a few hours on troubleshooting all the things I customized and that were undone by the upgrades.
the problem is that you shouldn't do "slackpkg upgrade-all" blindly: it's assumed you have read the ChangeLog first.
Quote:
Originally Posted by the_changelog
*****************************************************************
* IMPORTANT: READ BELOW ABOUT POTENTIALLY INCOMPATIBLE CHANGES *
*****************************************************************
Rather than backport the fix for the information leak (which is the only
hazardous flaw), we have upgraded to the latest OpenSSH. As of version
7.0, OpenSSH has deprecated some older (and presumably less secure)
algorithms, and also (by default) only allows root login by public-key,
hostbased and GSSAPI authentication. Make sure that your keys and
authentication method will allow you to continue accessing your system
after the upgrade.
I have access now again. PermitRootLogin yes works OK.
Now I will have to redo my keys. They are now 1024bit DSA style. I am not a security wiz and have used these keys as is since 2007.
What type of public-key is best to choose?
I use the defaults, that is what openssh developers consider safer: you can run
Code:
/etc/rc.d/rc.sshd restart
(that won't cut you off as only the listener process is killed) and that should take care of regenerating all the supported keys for the server (here ssh_host_dsa_key, ssh_host_ecdsa_key, ssh_host_ed25519_key and ssh_host_rsa_key).
then you delete/move away your old key for that server from your ~/.ssh/known_host on the client box and you try to connect again to the server: this should prompt you to accept by default an ecdsa-sha2-nistp256 key.
as you can see DSA keys are not considered so secure anymore and they have been superseded by ECDSA ones that are preferred when you have no local keys for that host.
Last edited by ponce; 02-06-2016 at 07:45 AM.
Reason: fixed DSA/ECDSA informations
The puttyGen on the windows machine does not generate ecdsa keys. Can't get openssl-1.0.1r to accept the dsa keys.
I've tried to reinstall the 1.0.1.p package but is was removed from the mirrors and everywhere else I look. sigh. This exactly what I meant with nuissance.
I upgrade telco equipment. If I were to even suggest doing a change that could not be easily reverted I would be seriously frowned upon.
OK let me put the decision to accept this OpenSSH default into a little context.
At the end of every install off of a default slackware installation system into a VM, or onto any remote system, the installer (person doing the install) is going to have to remember to drop to the prompt and modify sshd_config before rebooting the system. Either that or he/she is going to have open a VM console session to modify the default install, or have someone take a screen or keyboard along to the headless system, to modify the default installed state.
So a default slackware install (from the unadulterated source Pat provides) to anything other than a PC which you can physically accesss is automatically harder. OpenSSH have decided slackware only belongs on PCs with screens and keyboards attached, and you all support that. No headless ARM boxes, no S390 images, no headless PCs. That's just fine.
It seems to me that you'd just modify your installer to copy your administration user's public key into /root/.ssh/authorized_keys or /root/.ssh/authorized_keys2
You know that realisation you get half way through the thread when it occurs to you that you're behaving like a dickead... well yes, I was angry, frustration at what seems a pointless change bought down the red-mist. It's pleasing to know someone obtained some amusement from it though.
Some of us pick our aliases here with care, you know.
Folks who work on telco software (I used to) would put a LOT of effort into making the installers/upgraders stupid-simple and able to back out of messed up installations on their own.
We had cases of equipment sitting in a bunker out in the middle of nowhere (like an island in the Pacific) that had to be upgraded remotely over a satellite link. You really didn't want to be the one to fly out to fix the problem.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.