[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Review for "PermitRootLogin without-password" change

On Fri, Mar 21, 2014 at 12:42:22PM -0700, Russ Allbery wrote:
> Colin Watson <cjwatson@debian.org> writes:
> > Thanks for this feedback.  Do you have any suggestions for where we
> > might publicise this in an effective way?
> 
> Adding it to the jessie release notes, at least, seems like it would be a
> good idea.  (I also wholeheartedly agree with the change, though.)

That indeed sounds sensible.  I'm not sure anyone has started the jessie
release notes, and building from Subversion currently generates release
notes that claim to be for wheezy; but how does the following change
read?

Index: en/issues.dbk
===================================================================
--- en/issues.dbk	(revision 10387)
+++ en/issues.dbk	(working copy)
@@ -426,4 +426,36 @@
   </para>
 </section>
 
+<section id="openssh">
+  <title>Changed default for OpenSSH PermitRootLogin</title>
+  <para>
+    New installations of the <systemitem
+      role="package">openssh-server</systemitem> package in Debian &release;
+    disable SSH password authentication for the <literal>root</literal>
+    user by default.  This defeats brute-force password dictionary attacks
+    on the <literal>root</literal> user, which is a very common target for
+    such attacks.  It is still possible to SSH as <literal>root</literal> by
+    adding public keys to <filename>/root/.ssh/authorized_keys</filename> in
+    the usual way; for instance, this may be useful for remote backups (with
+    a forced command) or simply to avoid making another user effectively
+    equivalent to <literal>root</literal> by routinely using it for system
+    administration.
+  </para>
+  <para>
+    We recommend making the same change when upgrading systems.  If the
+    debconf priority is set to <literal>high</literal> or below, then you
+    will be offered the opportunity to have this change made for you when
+    upgrading <systemitem role="package">openssh-server</systemitem>.
+    However, this change may break systems that are set up expecting to be
+    able to SSH as <literal>root</literal> using password authentication,
+    and so we do not default to applying this change on upgrades.  If you
+    were not offered this change on upgrade, or if you decide to apply it
+    later, then edit <filename>/etc/ssh/sshd_config</filename> as
+    <literal>root</literal> and change:
+    <screen>PermitRootLogin yes</screen>
+    to:
+    <screen>PermitRootLogin without-password</screen>
+  </para>
+</section>
+
 </chapter>

-- 
Colin Watson                                       [cjwatson@debian.org]
Reply to: