Bug#298138: ssh: PermitRootLogin should defaul to "no"
On Sat, Mar 05, 2005 at 02:26:45PM +0100, Thijs Kinkhorst wrote:
> On Sat, March 5, 2005 02:41, Matthew Vernon said:
> > Please read README.Debian before submitting your bug reports - this is
> > good practice for any package, not just ssh.
> You're absolutely correct, I should have done that, sorry.
> If you permit, I'd like to ask a question about this. To me, the text in
> README.Debian is not clear on the following point: how is allowing root
> login just as secure as not allowing that?
Note that OpenSSH upstream ship with PermitRootLogin switched on as
well. This isn't a Debian-specific change.
> You write:
> "If you set it to no, then they must compromise a normal user
> account. In the vast majority of cases, this does not give added
> security; remember that any account you su to root from is equivalent
> to root - compromising this account gives an attacker access to root
> As I understand this, the hacker has to do the following to gain superuser
> 1. Know the root password.
> 1. Compromise a normal user account (one that allows su-ing).
> 2. Know the root password or a local root exploit.
Much easier: compromise a normal user account, install a keylogger, and
wait for that user to su to root. As long as you have an account which
is privileged in this way, you should treat it with the same care as you
treat your root account, since it is ultimately equivalent to root with
only a little work. "PermitRootLogin no" often buys only the illusion of
security, and we'd rather people thought about the issues a little more
carefully than that. Providing the illusion of security without
providing real security is dangerous, since (in this case) it encourages
people to use effectively root-equivalent user accounts as if they were
unprivileged: "they must have turned PermitRootLogin off for a reason".
User accounts, by their nature, tend to be easier to attack.
Colin Watson [email@example.com]