LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-31-2007, 11:35 PM   #1
vonedaddy
Member
 
Registered: Aug 2004
Location: Philadelphia,PA
Posts: 185

Rep: Reputation: 17
Disable root login via SSH not working


I added

PermitRootLogin no

to my /etc/ssh/sshd_config file and I can still log in via root without issues. I restarted services and even rebooted.

Anyone have any help for me?
 
Old 01-01-2008, 12:25 AM   #2
aus9
LQ 5k Club
 
Registered: Oct 2003
Location: Western Australia
Distribution: Icewm
Posts: 5,842

Rep: Reputation: Disabled
ssh daemon searches include /root and /home/name so if you have them....disable them with root powers.

And I assume you editted your /etc/ file with root powers?
 
Old 01-01-2008, 01:49 AM   #3
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by vonedaddy
... I can still log in via root without issues.
Explain what you mean by that exactly.
 
Old 01-01-2008, 07:30 AM   #4
vonedaddy
Member
 
Registered: Aug 2004
Location: Philadelphia,PA
Posts: 185

Original Poster
Rep: Reputation: 17
Quote:
Originally Posted by aus9 View Post
ssh daemon searches include /root and /home/name so if you have them....disable them with root powers.

And I assume you editted your /etc/ file with root powers?
Yes I edited the /etc/ file while logged in as root.

I am not sure what you mean by disable /root and /home/name with root powers, can you go into a bit more detail for me?


aus9:
I can still directly ssh into my box using the root credentials. I want to disable direct root logins for security purposes. I would like to only be able to log in via a user the be able to su - or sudo if needed.
 
Old 01-01-2008, 08:23 AM   #5
Brianetta
LQ Newbie
 
Registered: Mar 2007
Location: Newcastle upon Tyne, UK
Distribution: Trustix, Fedora, Ubuntu
Posts: 16

Rep: Reputation: 3
Quote:
Originally Posted by vonedaddy View Post
I added

PermitRootLogin no
You say you added this; did you remove any lines that contradicted it? Check for other PermitRootLogin lines.
 
Old 01-01-2008, 08:54 AM   #6
vonedaddy
Member
 
Registered: Aug 2004
Location: Philadelphia,PA
Posts: 185

Original Poster
Rep: Reputation: 17
Quote:
Originally Posted by Brianetta View Post
You say you added this; did you remove any lines that contradicted it? Check for other PermitRootLogin lines.
I checked and there are none. Any other ideas?
 
Old 01-01-2008, 10:40 AM   #7
sys-fire
LQ Newbie
 
Registered: Nov 2003
Location: USA
Distribution: Debian and Slackware
Posts: 17

Rep: Reputation: 0
Disabling root login via SSh

As root, edit the file /etc/sshd_config. Add a line that says:

AllowUsers yourusername

Make sure there is no line that says:

AllowUsers root


Hope this helps! :-)
 
Old 01-01-2008, 10:50 AM   #8
vonedaddy
Member
 
Registered: Aug 2004
Location: Philadelphia,PA
Posts: 185

Original Poster
Rep: Reputation: 17
Quote:
Originally Posted by sys-fire View Post
As root, edit the file /etc/sshd_config. Add a line that says:

AllowUsers yourusername

Make sure there is no line that says:

AllowUsers root


Hope this helps! :-)
No it did nothing... Just to let you know this happened after following the chrootjail instructions here:
http://adamsworld.name/chrootjail.php
 
Old 01-01-2008, 11:25 AM   #9
sys-fire
LQ Newbie
 
Registered: Nov 2003
Location: USA
Distribution: Debian and Slackware
Posts: 17

Rep: Reputation: 0
Did you restart ssh with /etc/init.d/ssh restart?
 
Old 01-01-2008, 11:35 AM   #10
vonedaddy
Member
 
Registered: Aug 2004
Location: Philadelphia,PA
Posts: 185

Original Poster
Rep: Reputation: 17
Quote:
Originally Posted by sys-fire View Post
Did you restart ssh with /etc/init.d/ssh restart?
Not exactly, there is not such file


[root@bighat ~]# /etc/init.d/ssh restart
-bash: /etc/init.d/ssh: No such file or directory
[root@bighat ~]# /etc/init.d/sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
[root@bighat ~]#


I dont know if there is a different between ssh and sshd


And I can still log in via ssh with root credentials.

Last edited by vonedaddy; 01-01-2008 at 11:37 AM.
 
Old 01-01-2008, 01:55 PM   #11
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora
Posts: 3,935
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by vonedaddy
Just to let you know this happened after following the chrootjail instructions here:
http://adamsworld.name/chrootjail.php
This is probably an important clue as to why the problem is occurring.

Note that only the PermitRootLogin no directive is required to prevent ssh root@some.host from working. The additional AllowUsers directive is fine, but it is not necessary since there is already a directive that should do exactly what you want.

It's likely that your sshd daemon inside the chrooted environment is not properly reading its /etc/ssh/sshd_config file. (In fact, I question that howto; I don't see that he is moving any sshd_config file into the chrooted environment.)

My short answer is: Don't bother chrooting the sshd daemon. It's a subpar 'security' feature. A better alternative is to put sshd in a Linux-VServer if you want to contain users.
 
Old 01-03-2008, 09:18 PM   #12
goillini
LQ Newbie
 
Registered: Nov 2007
Distribution: centOS
Posts: 16

Rep: Reputation: 0
You do not need to move the sshd_config file into the chrooted environment. The user does not need access to this file or any other binaries or config files.
Because this only allows for SFTP, they do not need access to such things.

The user will see the dir structure as something like this(will vary depending on what you let them do with it)

Code:
/public_html
/private
/logs
Thats it. They don't need anything else.

Also the original problem here is that the tutorial doesnt use the 'stock' install version of openssh. It installs into the /opt directory and therefore all paths would now be relative to that.

If you notice anything blatantly wrong please let me know as I am not an expert, its just that there wasn't enough information about how to do this easily so I copied my working procedure (and tested it).

-Adam
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Disable Root login via ssh UltraSoul Solaris / OpenSolaris 3 02-09-2007 03:18 AM
Disable Root Login Via SSH = Why? carlosinfl Linux - Security 4 10-11-2006 01:32 PM
disable root login with ssh linuxtesting2 Slackware 3 02-16-2005 01:33 PM
How can I disable root login with SSH? blk96gt Slackware 9 10-02-2004 08:09 AM
SSH/Telnet, disable root login, how? muhazam Linux - Security 6 08-17-2004 01:49 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:28 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration