Re: Review for "PermitRootLogin without-password" change
On Thu, Mar 20, 2014 at 01:31:23PM +0000, Matthew Vernon wrote:
> Colin Watson <cjwatson@debian.org> writes:
> > After (how can I put it) extensive and heated discussion over many
> > years, I intend to change sshd_config in new installations of
> > openssh-server to use "PermitRootLogin without-password" rather than
> > "PermitRootLogin yes". I have been considering what to do about
> > upgrades. Loath though I am to ask more questions of the user, writing
> > the README.Debian documentation for this is making me come round to the
> > belief that I probably ought to. (This is a shame since I'd only
> > recently managed to get rid of the last old and crufty uses of debconf
> > in openssh, but there you go.)
>
> On reading what follows I was left slightly confused as to who is
> going to be asked the debconf question - just new installations?
No, I was intending that to be asked on upgrades (once only, default
no-change), since it seems to make sense to make people aware of the
change in how new installations are configured so that they can easily
decide if they want to make their systems match that. I'd rather keep
use of debconf to a minimum; I'm not trying to implement a general
sshd_config editor or anything. If people want to change a new
installation back to the old default then it seems OK to have them just
edit sshd_config the way they'd do for any other change?
For a bit more context, I've attached my current entirely-untested patch
for this.
--
Colin Watson [cjwatson@debian.org]
>From 29c505f9c01791f78f5a71c3c6aca7a5f8cfc235 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@debian.org>
Date: Thu, 20 Mar 2014 02:14:01 +0000
Subject: [PATCH] Change to "PermitRootLogin without-password" for new
installations, and ask a debconf question when upgrading systems with
"PermitRootLogin yes" from previous versions (closes: #298138).
---
debian/README.Debian | 68 +++++++++++++++++++++--------------------
debian/changelog | 3 ++
debian/openssh-server.config | 23 ++++++++++++++
debian/openssh-server.postinst | 12 +++++++-
debian/openssh-server.templates | 15 +++++++++
debian/po/POTFILES.in | 1 +
debian/po/templates.pot | 46 ++++++++++++++++++++++++++++
7 files changed, 134 insertions(+), 34 deletions(-)
create mode 100644 debian/openssh-server.config
create mode 100644 debian/openssh-server.templates
create mode 100644 debian/po/POTFILES.in
create mode 100644 debian/po/templates.pot
diff --git a/debian/README.Debian b/debian/README.Debian
index 6e6bf9d..4d16eb4 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -15,39 +15,41 @@ Privilege separation is turned on by default, so, if you decide you
want it turned off, you need to add "UsePrivilegeSeparation no" to
/etc/ssh/sshd_config.
-PermitRootLogin set to yes
---------------------------
-
-This is now the default setting (in line with upstream), and people
-who asked for an automatically-generated configuration file when
-upgrading from potato (or on a new install) will have this setting in
-their /etc/ssh/sshd_config file.
-
-Should you wish to change this setting, edit /etc/ssh/sshd_config, and
-change:
-PermitRootLogin yes
-to:
-PermitRootLogin no
-
-Having PermitRootLogin set to yes means that an attacker that knows
-the root password can ssh in directly (without having to go via a user
-account). If you set it to no, then they must compromise a normal user
-account. In the vast majority of cases, this does not give added
-security; remember that any account you su to root from is equivalent
-to root - compromising this account gives an attacker access to root
-easily. If you only ever log in as root from the physical console,
-then you probably want to set this value to no.
-
-As an aside, PermitRootLogin can also be set to "without-password" or
-"forced-commands-only" - see sshd(8) for more details.
-
-DO NOT FILE BUG REPORTS SAYING YOU THINK THIS DEFAULT IS INCORRECT!
-
-The argument above is somewhat condensed; I have had this discussion
-at great length with many people. If you think the default is
-incorrect, and feel strongly enough to want to argue about it, then
-send email to debian-ssh@lists.debian.org. I will close bug reports
-claiming the default is incorrect.
+PermitRootLogin
+---------------
+
+As of 1:6.6p1-1, new installations will be set to "PermitRootLogin
+without-password". This disables password authentication for root, foiling
+password dictionary attacks on the root user. Some sites may wish to use
+the stronger "PermitRootLogin forced-commands-only" or "PermitRootLogin no",
+but note that "PermitRootLogin no" will break setups that SSH to root with a
+forced command to take full-system backups. You can use PermitRootLogin in
+a Match block if you want finer-grained control here.
+
+For many years Debian's OpenSSH packaging used "PermitRootLogin yes", in
+line with upstream. To avoid breaking local setups, this is still true for
+installations upgraded from before 1:6.6p1-1. If you wish to change this,
+you should edit /etc/ssh/sshd_config, change it manually, and run "service
+ssh restart" as root.
+
+Disabling PermitRootLogin means that an attacker possessing credentials for
+the root account (any credentials in the case of "yes", or private key
+material in the case of "without-password") must compromise a normal user
+account rather than being able to SSH directly to root. Be careful to avoid
+a false illusion of security if you change this setting; any account you
+escalate to root from should be considered equivalent to root for the
+purposes of security against external attack. You might for example disable
+it if you know you will only ever log in as root from the physical console.
+
+Since the root account does not generally have non-password credentials
+unless you explicitly install an SSH public key in its
+~/.ssh/authorized_keys, which you presumably only do if you want to SSH to
+it, "without-password" should be a reasonable default for most sites.
+
+For further discussion, see:
+
+ https://bugs.debian.org/298138
+ https://bugzilla.mindrot.org/show_bug.cgi?id=2164
X11 Forwarding
--------------
diff --git a/debian/changelog b/debian/changelog
index eccc514..a4fd78f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,9 @@ openssh (1:6.6p1-1) UNRELEASED; urgency=medium
* Apply various warning-suppression and regression-test fixes to
gssapi.patch from Damien Miller.
* New upstream release (http://www.openssh.com/txt/release-6.6).
+ * Change to "PermitRootLogin without-password" for new installations, and
+ ask a debconf question when upgrading systems with "PermitRootLogin yes"
+ from previous versions (closes: #298138).
-- Colin Watson <cjwatson@debian.org> Thu, 20 Mar 2014 00:32:46 +0000
diff --git a/debian/openssh-server.config b/debian/openssh-server.config
new file mode 100644
index 0000000..27594ad
--- /dev/null
+++ b/debian/openssh-server.config
@@ -0,0 +1,23 @@
+#! /bin/sh
+set -e
+
+. /usr/share/debconf/confmodule
+db_version 2.0
+
+get_config_option() {
+ option="$1"
+
+ [ -f /etc/ssh/sshd_config ] || return
+
+ # TODO: actually only one '=' allowed after option
+ perl -ne 'print if s/^[[:space:]]*'"$option"'[[:space:]=]+//i' \
+ /etc/ssh/sshd_config 2>/dev/null
+}
+
+if dpkg --compare-versions "$2" lt-nl 1:6.6p1-1 && \
+ [ "$(get_config_option PermitRootLogin)" = yes ]; then
+ db_input high openssh-server/permit-root-login || true
+ db_go
+fi
+
+exit 0
diff --git a/debian/openssh-server.postinst b/debian/openssh-server.postinst
index 0189f5f..daa0f67 100644
--- a/debian/openssh-server.postinst
+++ b/debian/openssh-server.postinst
@@ -1,6 +1,9 @@
#!/bin/sh
set -e
+. /usr/share/debconf/confmodule
+db_version 2.0
+
action="$1"
oldversion="$2"
@@ -193,7 +196,7 @@ LogLevel INFO
# Authentication:
LoginGraceTime 120
-PermitRootLogin yes
+PermitRootLogin without-password
StrictModes yes
RSAAuthentication yes
@@ -305,8 +308,15 @@ if [ "$action" = configure ]; then
# restart it under systemd.
start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/sshd.pid --exec /usr/sbin/sshd || true
fi
+ if dpkg --compare-versions "$2" lt-nl 1:6.6p1-1 && \
+ [ "$(get_config_option PermitRootLogin)" = yes ] &&
+ db_get openssh-server/permit-root-login && [ "$RET" = true ]; then
+ set_config_option PermitRootLogin without-password
+ fi
fi
#DEBHELPER#
+db_stop
+
exit 0
diff --git a/debian/openssh-server.templates b/debian/openssh-server.templates
new file mode 100644
index 0000000..6650d41
--- /dev/null
+++ b/debian/openssh-server.templates
@@ -0,0 +1,15 @@
+Templates: openssh-server/permit-root-login
+Type: boolean
+Default: false
+_Description: Disable SSH password authentication for root?
+ Previous versions of openssh-server permitted logging in as root over SSH
+ using password authentication. The default for new installations is now
+ "PermitRootLogin without-password", which disables password authentication
+ for root without breaking systems that have explicitly configured SSH
+ public key authentication for root.
+ .
+ This change makes systems more secure against brute-force password
+ dictionary attacks on the root user (a very common target for such
+ attacks). However, it may break systems that are set up with the
+ expectation of being able to SSH as root using password authentication. You
+ should only make this change if you do not need to do that.
diff --git a/debian/po/POTFILES.in b/debian/po/POTFILES.in
new file mode 100644
index 0000000..c619f34
--- /dev/null
+++ b/debian/po/POTFILES.in
@@ -0,0 +1 @@
+[type: gettext/rfc822deb] openssh-server.templates
diff --git a/debian/po/templates.pot b/debian/po/templates.pot
new file mode 100644
index 0000000..70e64ac
--- /dev/null
+++ b/debian/po/templates.pot
@@ -0,0 +1,46 @@
+# SOME DESCRIPTIVE TITLE.
+# Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER
+# This file is distributed under the same license as the PACKAGE package.
+# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
+#
+#, fuzzy
+msgid ""
+msgstr ""
+"Project-Id-Version: openssh\n"
+"Report-Msgid-Bugs-To: openssh@packages.debian.org\n"
+"POT-Creation-Date: 2014-03-20 02:06+0000\n"
+"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
+"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
+"Language-Team: LANGUAGE <LL@li.org>\n"
+"Language: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=CHARSET\n"
+"Content-Transfer-Encoding: 8bit\n"
+
+#. Type: boolean
+#. Description
+#: ../openssh-server.templates:1001
+msgid "Disable SSH password authentication for root?"
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../openssh-server.templates:1001
+msgid ""
+"Previous versions of openssh-server permitted logging in as root over SSH "
+"using password authentication. The default for new installations is now "
+"\"PermitRootLogin without-password\", which disables password authentication "
+"for root without breaking systems that have explicitly configured SSH public "
+"key authentication for root."
+msgstr ""
+
+#. Type: boolean
+#. Description
+#: ../openssh-server.templates:1001
+msgid ""
+"This change makes systems more secure against brute-force password "
+"dictionary attacks on the root user (a very common target for such attacks). "
+"However, it may break systems that are set up with the expectation of being "
+"able to SSH as root using password authentication. You should only make this "
+"change if you do not need to do that."
+msgstr ""
--
1.9.0
Reply to: