Hi experts.

Need help on how to enable direct login of root via ssh?
I find and info that i just need to update /etc/ssh/sshd_config, but i couldn't see that file in the location...

Please help.

Many Thanks,
Rhea

Hello,

What distro are you using, and what version of sshd do you have installed? Can I also ask why you would want to do this? Having it configured for root logins is a potential security risk, and I highly recommend to NOT have it configured like that.

Josh

1 members found this post helpful.

Seriously, listen to corp769 and don't do this. We recently dealt with an intrusion where is is likely the attacker got access by guessing the root password for ssh. Once compromised, that machine was used to probe for other machines that allowed root access. There was a file containing a loooooooong list of IP addresses with valid root passwords. Those machines are probably now compromised as well.


You REALLY don't want to do this.

2 members found this post helpful.

Thanks man. I personally know of several occasions where because root access was allowed, sh*t got f*ck*d up..... But if the OP really wants to do this, then by all means, let him. We are here to recommend and give the *correct* advise, but it doesn't mean that he will listen to us.

1 members found this post helpful.

I agree that this is something that should not be done, except in the most specific of circumstances. In this situation, the OP stated:
EngnrRG, I mean this in the most humble of ways and intend no disrespect, but if you are having trouble with this portion of the process, it is an indication that you don't have a sufficient grasp of Linux configuration to understand the implications and risks associated with the desired action.

If you would please, tell us why you want to permit direct root login and what problem you are trying to solve. Perhaps there is another way that would entail less risk? My initial suspicion would be that you have some form of permissions problem that you are trying to address. SSH via root should be unnecessary as a user can simply login and then su to root and applications have ways to work around direct root login.

1 members found this post helpful.

The best way to configure ssh is to set it up so that it requires the use of digital certificates (which you then password-protect), and .. very importantly .. so that it will not "helpfully" keep offering less-and-less secure alternatives such as "passwords."

As ssh is typically deployed, the "s" is a serious misnomer. It is, in fact, "an ass-to-the-wind wide open" shell that (oh, by the way...) happens to encrypt its network traffic. It's an avenue by which "anyone in the world, anywhere in the world" can brute-force passwords.

There should be one and only one way that anyone can get through your secure shell: they must have a badge. In other words, an approved-by-you and issued-by-you personal certificate, encrypted using a password that they alone possess. If you have 100 different workstations that can get to your box, then, yup... you're managing 100 different certificates somehow, but c'est la guerre. If "workstation #93" gets stolen at the airport security checkpoint, you merely have to invalidate "certificate #93" and the door is slammed shut. (Even if the thief somehow knows what the password is that was used to encrypt that certificate, "the badge has been revoked" and it is therefore quite useless.)

VPN, if you have that, must be the set up the same way. Don't use passwords, except as a means of securing individually issued certificates.

Security is not a "tool." It is a "process."

1 members found this post helpful.

More eloquent than I could have stated it.

If you really have to ask, you don't want to do this. It's in place for your safety.

EngnrRG,

I agree w/ all the warnings so far & have given a bunch of rep accordingly.

Now, please answer Noway2's question.

1 members found this post helpful.

If the file /etc/ssh/sshd_config isn’t there, the defaults will be used I think - so create it. Nevertheless, it’s possible to restrict root-login to be allowed only from certain machines (AllowUsers root@10.0.2.1) and by ssh-passphrase (and the public key) instead of a plain password (PermitRootLogin without-password).

0 members found this post helpful.

Reuti,

Please hold further answers until we know if EngnrRG is going to respond -- we really, really need to know if we're dealing w/ a user who doesn't understand the dangers s/he may be exposing him/herself to. I wish I could find a workable metaphor that would liken this to loading a hand gun for someone who is planning to shoot him/herself in the foot.

1 members found this post helpful.

Just because one network was totally screwed up does not mean direct root cannot be used elsewhere. It's better to just not use passwords, and to instead use encrypted SSH certificates (e.g. ssh-agent). Even then, there are times and places where automated root access may be needed (for example, rsync over ssh system backups). But you do need to understand what all is going on to make the right choices for your computers. And if you do understand that, you would not need to ask online how to get direct root access.

Hi guys,

thanks for all the advise. My problem was resolved... Actually, we don't do this.
This is just an excemption of a server which i just build... I belong to a project team which we do the OS built and for this project, we only need to install OS and they will do the rest like access and all, and since they don't have access to the console, I need to allow direct root login to them and they will do the rest...

I have just updated this file

vi /etc/ssh2/ssh-server-config.xml


Many Thanks to everyone

Anytime! If all of your questions have been answered, please mark your thread solved and give rep if applicable, thanks!

Josh

Since the subject of this thread is "direct root access", I would like to call exception on this as there have been far too many cases in the security forum where systems have been lost as a result of this practice. For that matter, there are far too many threads where the operator is unnecessarily working as root as a routine.

@EngnrRG, please understand that my comments are not directed at you specifically as this is a generalized problem. I would ask that you take into consideration what I am about to say, however.

Root, followed by Nagios and variations of Phpmyadmin are about the three most commonly attempted brute force users. While using key based authentication does help greatly, it is not infallible.

While I do understand and appreciate that there are limited cases where this may be needed, it seems as if every thread on this subject is an exception, which is too much of a stretch. Even with rsync there are ways to set up accounts and permissions to perform this function without enabling direct ssh root login. In the cases where it is required, it is important, if not imperative, that it be restricted in some other fashion, such as limited to a local, private LAN or from a particular IP, etc. Once logged in as a normal user, it is simple to issue the command "su -" to become root and by using this method you have eliminated the number one vulnerability exploit from SSH. Perpetually running and logging in as root is a sign that you haven't established a proper permissions structure.

3 members found this post helpful.

Noway2,

In discussing "direct root access", do you put password log-in in the same boat as key based (i.e. ssh-agent) log-in?