|
Direct root login via ssh
Hi experts.
Need help on how to enable direct login of root via ssh? I find and info that i just need to update /etc/ssh/sshd_config, but i couldn't see that file in the location... Please help. Many Thanks, Rhea |
Hello,
What distro are you using, and what version of sshd do you have installed? Can I also ask why you would want to do this? Having it configured for root logins is a potential security risk, and I highly recommend to NOT have it configured like that. Josh |
Seriously, listen to corp769 and don't do this. We recently dealt with an intrusion where is is likely the attacker got access by guessing the root password for ssh. Once compromised, that machine was used to probe for other machines that allowed root access. There was a file containing a loooooooong list of IP addresses with valid root passwords. Those machines are probably now compromised as well.
You REALLY don't want to do this. |
Quote:
|
I agree that this is something that should not be done, except in the most specific of circumstances. In this situation, the OP stated:
Quote:
If you would please, tell us why you want to permit direct root login and what problem you are trying to solve. Perhaps there is another way that would entail less risk? My initial suspicion would be that you have some form of permissions problem that you are trying to address. SSH via root should be unnecessary as a user can simply login and then su to root and applications have ways to work around direct root login. |
The best way to configure ssh is to set it up so that it requires the use of digital certificates (which you then password-protect), and .. very importantly .. so that it will not "helpfully" keep offering less-and-less secure alternatives such as "passwords."
As ssh is typically deployed, the "s" is a serious misnomer. It is, in fact, "an ass-to-the-wind wide open" shell that (oh, by the way...) happens to encrypt its network traffic. It's an avenue by which "anyone in the world, anywhere in the world" can brute-force passwords. There should be one and only one way that anyone can get through your secure shell: they must have a badge. In other words, an approved-by-you and issued-by-you personal certificate, encrypted using a password that they alone possess. If you have 100 different workstations that can get to your box, then, yup... you're managing 100 different certificates somehow, but c'est la guerre. If "workstation #93" gets stolen at the airport security checkpoint, you merely have to invalidate "certificate #93" and the door is slammed shut. (Even if the thief somehow knows what the password is that was used to encrypt that certificate, "the badge has been revoked" and it is therefore quite useless.) VPN, if you have that, must be the set up the same way. Don't use passwords, except as a means of securing individually issued certificates. Security is not a "tool." It is a "process." |
Quote:
If you really have to ask, you don't want to do this. It's in place for your safety. |
EngnrRG,
I agree w/ all the warnings so far & have given a bunch of rep accordingly. Now, please answer Noway2's question. Quote:
|
If the file /etc/ssh/sshd_config isn’t there, the defaults will be used I think - so create it. Nevertheless, it’s possible to restrict root-login to be allowed only from certain machines (AllowUsers root@10.0.2.1) and by ssh-passphrase (and the public key) instead of a plain password (PermitRootLogin without-password).
|
Reuti,
Please hold further answers until we know if EngnrRG is going to respond -- we really, really need to know if we're dealing w/ a user who doesn't understand the dangers s/he may be exposing him/herself to. I wish I could find a workable metaphor that would liken this to loading a hand gun for someone who is planning to shoot him/herself in the foot. |
Quote:
|
Hi guys,
thanks for all the advise. My problem was resolved... Actually, we don't do this. This is just an excemption of a server which i just build... I belong to a project team which we do the OS built and for this project, we only need to install OS and they will do the rest like access and all, and since they don't have access to the console, I need to allow direct root login to them and they will do the rest... I have just updated this file vi /etc/ssh2/ssh-server-config.xml Many Thanks to everyone :) |
Anytime! If all of your questions have been answered, please mark your thread solved and give rep if applicable, thanks!
Josh |
Quote:
@EngnrRG, please understand that my comments are not directed at you specifically as this is a generalized problem. I would ask that you take into consideration what I am about to say, however. Root, followed by Nagios and variations of Phpmyadmin are about the three most commonly attempted brute force users. While using key based authentication does help greatly, it is not infallible. While I do understand and appreciate that there are limited cases where this may be needed, it seems as if every thread on this subject is an exception, which is too much of a stretch. Even with rsync there are ways to set up accounts and permissions to perform this function without enabling direct ssh root login. In the cases where it is required, it is important, if not imperative, that it be restricted in some other fashion, such as limited to a local, private LAN or from a particular IP, etc. Once logged in as a normal user, it is simple to issue the command "su -" to become root and by using this method you have eliminated the number one vulnerability exploit from SSH. Perpetually running and logging in as root is a sign that you haven't established a proper permissions structure. |
Noway2,
In discussing "direct root access", do you put password log-in in the same boat as key based (i.e. ssh-agent) log-in? |
| All times are GMT -5. The time now is 01:13 PM. |