Re: blocking ssh Root Logins
Pollywog writes:
>I just do '/etc/init.d/ssh reload' because if I am ssh'ing to the host and
>making changes, a 'kill -HUP sshd' will disconnect me from the session.
On a multiuser box, I bet that nicely whacks every other
session including mine so thanks for saving me trouble later down the
line.:-)
I tried /etc/init/ssh reload
and it worked without disruption. The other little wrinkle that can
look a bit confusing is found in the man page for sshd.
________________________________________________________________________
PermitRootLogin
Specifies whether the root can log in using ssh(1). The argument
must be ``yes'', ``without-password'' or ``no''. The default is
``yes''. If this options is set to ``without-password'' only
password authentication is disabled for root.
________________________________________________________________________
If you just put ``NO'', the reload generates a squawk, but
``without-password'' had the effect of making the root password not
work for a direct root login just like the manual said. It worked
properly for serial port logins and probably works okay for the
console as well as if one uses su -. I think I might have also
thought that without-password meant the root shell was wide open and
you didn't need a password to get in. It's safe to say that that
wouldn't be a desirable configuration on an Internet-connected box.
Martin McCormick WB5AGZ Stillwater, OK
OSU Information Technology Division Network Operations Group
Reply to: