Bug#780396: setting up a headless system
Control: reassign 780396 release-notes
Control: forcemerge 769388 780396
On Fri, Mar 13, 2015 at 11:06:53AM +0100, Harald Dunkel wrote:
> Setting up a headless system failed: root is not
> allowed to login via ssh, even though it is the
> only account with a valid shell.
This is an intentional change, but it does require some adaptation by
people setting up headless systems to e.g. put a public key in place
using preseeding. See README.Debian (the relevant text follows) and
#769388.
PermitRootLogin
---------------
As of 1:6.6p1-1, new installations will be set to "PermitRootLogin
without-password". This disables password authentication for root, foiling
password dictionary attacks on the root user. Some sites may wish to use
the stronger "PermitRootLogin forced-commands-only" or "PermitRootLogin no",
but note that "PermitRootLogin no" will break setups that SSH to root with a
forced command to take full-system backups. You can use PermitRootLogin in
a Match block if you want finer-grained control here.
For many years Debian's OpenSSH packaging used "PermitRootLogin yes", in
line with upstream. To avoid breaking local setups, this is still true for
installations upgraded from before 1:6.6p1-1. If you wish to change this,
you should edit /etc/ssh/sshd_config, change it manually, and run "service
ssh restart" as root.
Disabling PermitRootLogin means that an attacker possessing credentials for
the root account (any credentials in the case of "yes", or private key
material in the case of "without-password") must compromise a normal user
account rather than being able to SSH directly to root. Be careful to avoid
a false illusion of security if you change this setting; any account you
escalate to root from should be considered equivalent to root for the
purposes of security against external attack. You might for example disable
it if you know you will only ever log in as root from the physical console.
Since the root account does not generally have non-password credentials
unless you explicitly install an SSH public key in its
~/.ssh/authorized_keys, which you presumably only do if you want to SSH to
it, "without-password" should be a reasonable default for most sites.
For further discussion, see:
https://bugs.debian.org/298138
https://bugzilla.mindrot.org/show_bug.cgi?id=2164
--
Colin Watson [cjwatson@debian.org]
Reply to: