Bug#780396: setting up a headless system

To: Harald Dunkel <harald.dunkel@aixigo.de>, 780396@bugs.debian.org
Subject: Bug#780396: setting up a headless system
From: Colin Watson <cjwatson@debian.org>
Date: Fri, 13 Mar 2015 10:17:40 +0000
Message-id: <[🔎] 20150313101740.GU3020@riva.ucam.org>
Reply-to: Colin Watson <cjwatson@debian.org>, 780396@bugs.debian.org
In-reply-to: <[🔎] 20150313110653.4ebd131f@dpcl082.ac.aixigo.de>
References: <[🔎] 20150313110653.4ebd131f@dpcl082.ac.aixigo.de>

Control: reassign 780396 release-notes
Control: forcemerge 769388 780396

On Fri, Mar 13, 2015 at 11:06:53AM +0100, Harald Dunkel wrote:
> Setting up a headless system failed: root is not 
> allowed to login via ssh, even though it is the 
> only account with a valid shell. 

This is an intentional change, but it does require some adaptation by
people setting up headless systems to e.g. put a public key in place
using preseeding.  See README.Debian (the relevant text follows) and
#769388.

  PermitRootLogin
  ---------------

  As of 1:6.6p1-1, new installations will be set to "PermitRootLogin
  without-password".  This disables password authentication for root, foiling
  password dictionary attacks on the root user.  Some sites may wish to use
  the stronger "PermitRootLogin forced-commands-only" or "PermitRootLogin no",
  but note that "PermitRootLogin no" will break setups that SSH to root with a
  forced command to take full-system backups.  You can use PermitRootLogin in
  a Match block if you want finer-grained control here.

  For many years Debian's OpenSSH packaging used "PermitRootLogin yes", in
  line with upstream.  To avoid breaking local setups, this is still true for
  installations upgraded from before 1:6.6p1-1.  If you wish to change this,
  you should edit /etc/ssh/sshd_config, change it manually, and run "service
  ssh restart" as root.

  Disabling PermitRootLogin means that an attacker possessing credentials for
  the root account (any credentials in the case of "yes", or private key
  material in the case of "without-password") must compromise a normal user
  account rather than being able to SSH directly to root.  Be careful to avoid
  a false illusion of security if you change this setting; any account you
  escalate to root from should be considered equivalent to root for the
  purposes of security against external attack.  You might for example disable
  it if you know you will only ever log in as root from the physical console.

  Since the root account does not generally have non-password credentials
  unless you explicitly install an SSH public key in its
  ~/.ssh/authorized_keys, which you presumably only do if you want to SSH to
  it, "without-password" should be a reasonable default for most sites.

  For further discussion, see:

    https://bugs.debian.org/298138
    https://bugzilla.mindrot.org/show_bug.cgi?id=2164

-- 
Colin Watson                                       [cjwatson@debian.org]

Reply to:

References:
- Bug#780396: setting up a headless system
  - From: Harald Dunkel <harald.dunkel@aixigo.de>

Prev by Date: Bug#780396: setting up a headless system
Next by Date: Processed: Re: Bug#780396: setting up a headless system
Previous by thread: Bug#780396: setting up a headless system
Next by thread: Processed: Re: Bug#780396: setting up a headless system
Index(es):
- Date
- Thread