Review for "PermitRootLogin without-password" change
After (how can I put it) extensive and heated discussion over many
years, I intend to change sshd_config in new installations of
openssh-server to use "PermitRootLogin without-password" rather than
"PermitRootLogin yes". I have been considering what to do about
upgrades. Loath though I am to ask more questions of the user, writing
the README.Debian documentation for this is making me come round to the
belief that I probably ought to. (This is a shame since I'd only
recently managed to get rid of the last old and crufty uses of debconf
in openssh, but there you go.)
I'm considering asking the following via debconf, probably at priority
high, and would like review of the text before inflicting it on
_Description: Disable SSH password authentication for root?
Previous versions of openssh-server permitted logging in as root over SSH
using password authentication. The default for new installations is now
"PermitRootLogin without-password", which disables password authentication
for root without breaking systems that have explicitly configured SSH
public key authentication for root.
This change makes systems more secure against brute-force password
dictionary attacks on the root user (a very common target for such
attacks). However, it may break systems that are set up with the
expectation of being able to SSH as root using password authentication. You
should only make this change if you do not need to do that.
I'm a native British English speaker, Northern Irish dialect mutated by
fifteen years of living in England. Usually not very much dialect
creeps through into my technical writing, but, you know, advance warning
and all that.
I normally prefer two spaces after sentence-final full stops, and I
followed that in README.Debian, but my recollection is that
debian-l10n-english@ usually prefers one space in debconf template text
so I went with that style here. Let me know if I've misremembered or if
this has changed.
I've taken the linguistic liberty of using "SSH" as a verb in the second
paragraph, because "log in over SSH" gets clunky after the first use.
This is pretty commonplace jargon and I think it's clear in context.
For context as much as for review, here's the new text I currently plan
to include in README.Debian:
As of 1:6.6p1-1, new installations will be set to "PermitRootLogin
without-password". This disables password authentication for root, foiling
password dictionary attacks on the root user. Some sites may wish to use
the stronger "PermitRootLogin forced-commands-only" or "PermitRootLogin no",
but note that "PermitRootLogin no" will break setups that SSH to root with a
forced command to take full-system backups. You can use PermitRootLogin in
a Match block if you want finer-grained control here.
For many years Debian's OpenSSH packaging used "PermitRootLogin yes", in
line with upstream. To avoid breaking local setups, this is still true for
installations upgraded from before 1:6.6p1-1. If you wish to change this,
you should edit /etc/ssh/sshd_config, change it manually, and run "service
ssh restart" as root.
Disabling PermitRootLogin means that an attacker possessing credentials for
the root account (any credentials in the case of "yes", or private key
material in the case of "without-password") must compromise a normal user
account rather than being able to SSH directly to root. Be careful to avoid
a false illusion of security if you change this setting; any account you
escalate to root from should be considered equivalent to root for the
purposes of security against external attack. You might for example disable
it if you know you will only ever log in as root from the physical console.
Since the root account does not generally have non-password credentials
unless you explicitly install an SSH public key in its
~/.ssh/authorized_keys, which you presumably only do if you want to SSH to
it, "without-password" should be a reasonable default for most sites.
For further discussion, see:
Colin Watson [firstname.lastname@example.org]