LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (https://www.linuxquestions.org/questions/slackware-14/)
-   -   openssh-7.1p2 patch disables root login. Can it be re-enabled? (https://www.linuxquestions.org/questions/slackware-14/openssh-7-1p2-patch-disables-root-login-can-it-be-re-enabled-4175564416/)

Suncoast 01-19-2016 04:56 PM
openssh-7.1p2 patch disables root login. Can it be re-enabled?
 
I think I'm missing something. I ran a slackpkg upgrade openssh* after getting the security alert. Kept old config files. Can no longer login via SSH (Putty) as root. Tried making readme changes to /etc/ssh/ files, no joy. So I've restored the original config files, back to square one.


Is it completely impossible to login as root over SSH now after this update?

Thanks.

volkerdi 01-19-2016 04:58 PM
You need this in your /etc/ssh/sshd_config:

Code:
PermitRootLogin yes

CTM 01-20-2016 07:20 AM
Quote:
Originally Posted by Suncoast (Post 5481165)
I ran a slackpkg upgrade openssh* after getting the security alert. Kept old config files. Can no longer login via SSH (Putty) as root.
Note that 7.1p2 doesn't prevent remote root logins altogether - the implied value of "PermitRootLogin" following the update changed from "yes" to "prohibit-password", which only prevents you from logging in as root using password-based authentication. Logging in as root using public key-based authentication is still allowed using the default sshd_config (and is strongly recommended over password-based auth).

Suncoast 01-20-2016 08:18 AM
Quote:
Logging in as root using public key-based authentication is still allowed using the default sshd_config
OK, read up on that. This is where I'm in trouble. Is there a way to re-enable password authentication?

michelino 01-20-2016 08:31 AM
Pat told you 2 posts earlier

CTM 01-20-2016 11:37 AM
Quote:
Originally Posted by Suncoast (Post 5481500)
OK, read up on that. This is where I'm in trouble. Is there a way to re-enable password authentication?
"PermitRootLogin yes" will enable both password-based and public key-based authentication for the root user. If this is on a remote system on the public Internet, though, I strongly recommend setting up public key-based auth, at least for root, and leaving Slackware's new /etc/ssh/sshd_config as-is. The change to the default value of PermitRootLogin was made by the OpenSSH developers for a good reason (to see why, run "grep 'sshd.*Failed password for root' /var/log/messages | less" on your remote system :)).

Suncoast 01-21-2016 09:54 AM
Well, although I truly respect Pat's posts, I did not respond because that option is set. After seeing this config file, I realize I did not keep the new sshd_config file. But on my first attempt I did use the new config file and changed my network and the PermitRootLogin yes options before I restored the old config files. If it matters, eth0 is externally facing. eth1 is the only interface enabled which is on the internal network.
Code:
#      $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Port 9807
#AddressFamily any
ListenAddress 192.168.2.253
ListenAddress  ::1/128

# The default requires explicit activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Ciphers and keying
#RekeyLimit default none

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile      .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox          # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem      sftp    /usr/libexec/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#      X11Forwarding no
#      AllowTcpForwarding no
#      PermitTTY no
#      ForceCommand cvs server

Suncoast 04-05-2016 09:07 AM
Looks like I needed to install the new config files. I reran updates, used the new config files, changed them to my needs, and it worked fine. Rolling out to the other servers shortly.

Thanks for the help everyone.

jrigg 04-05-2016 12:10 PM
I personally wouldn't risk allowing password logins for root on an internet-facing server (most brute force attacks on my ssh server are root login attempts). If you need password logins it's less risky to set "PermitRootLogin no", which allows password logins for other users, then su into root after logging in. Obviously this is only helpful if you use a non-obvious user name :-)

drgibbon 04-06-2016 01:20 AM
Since it's connected to allowing 'PermitRootLogin' (or not), here is a nice list for improving OpenSSH security, which one can pick and choose from.

Suncoast 04-06-2016 07:37 AM
I agree. Set the first settings in config to your internal network interface only, which disables ssh on the external interface. And a very strong password is always a must.


All times are GMT -5. The time now is 08:43 AM.