openssh-7.1p2 patch disables root login. Can it be re-enabled?
I think I'm missing something. I ran a slackpkg upgrade openssh* after getting the security alert. Kept old config files. Can no longer login via SSH (Putty) as root. Tried making readme changes to /etc/ssh/ files, no joy. So I've restored the original config files, back to square one.
Is it completely impossible to login as root over SSH now after this update? Thanks. |
You need this in your /etc/ssh/sshd_config:
Code:
PermitRootLogin yes |
Quote:
|
Quote:
|
Pat told you 2 posts earlier
|
Quote:
|
Well, although I truly respect Pat's posts, I did not respond because that option is set. After seeing this config file, I realize I did not keep the new sshd_config file. But on my first attempt I did use the new config file and changed my network and the PermitRootLogin yes options before I restored the old config files. If it matters, eth0 is externally facing. eth1 is the only interface enabled which is on the internal network.
Code:
# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $ |
Looks like I needed to install the new config files. I reran updates, used the new config files, changed them to my needs, and it worked fine. Rolling out to the other servers shortly.
Thanks for the help everyone. |
I personally wouldn't risk allowing password logins for root on an internet-facing server (most brute force attacks on my ssh server are root login attempts). If you need password logins it's less risky to set "PermitRootLogin no", which allows password logins for other users, then su into root after logging in. Obviously this is only helpful if you use a non-obvious user name :-)
|
Since it's connected to allowing 'PermitRootLogin' (or not), here is a nice list for improving OpenSSH security, which one can pick and choose from.
|
I agree. Set the first settings in config to your internal network interface only, which disables ssh on the external interface. And a very strong password is always a must.
|
All times are GMT -5. The time now is 08:43 AM. |