[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: passwordless ssh root logins stopped working after testing dist-upgrade

On Tue, 6 Apr 2010 16:23:35 -0400 (EDT), Jordan Metzmeier wrote:
> On Tue, Apr 6, 2010 at 4:14 PM, Stephen Powell wrote:
>> On Tue, 6 Apr 2010 14:12:19 -0400 (EDT), Russell L. Carter wrote:
>>> I dist-upgraded yesterday and ssh root logins started requiring a
>>> password.
>> OK, I'll bite.  Not that this is any of my business, but why do you
>> allow *root* logins via *ssh* _without_ a password.  Isn't that dangerous?
>> At my shop, our policy is that root is not allowed to login via ssh
>> at all.  root can only login from the system console.  To login as
>> root via ssh, one must login as a normal user first, then su to root.
>> But you not only allow root to login via ssh, you don't even require
>> a password!  That sounds like a security hole big enough to drive a
>> tank through!  Would you mind explaining why you do this?
> What the PermitRootLogin without-password actually does is restrict
> root login to key authentication only. This (imo), is more secure than
> the default configuration as public keys are much more difficult to
> bruteforce than passwords. Also, your typical botnet (based on my own
> experiences/logs) is usually attempting to brute-force passwords.
> Also, you can add a passphrase to your public key so that it requires
> both a key and password. This also works with without-password but
> will create issues when you have scripts that need to be able to
> authenticate non-interactively.
> The sshd_config manpage does not do a very good job of explaining
> this.  Hope that clears up some confusion Stephen.

So the idea is that both the server *and* the client authenticate to
each other via SSL?  (I.e. both server and client have a public key /
private key pair?)  And only someone in possession of the client's
private key would be able to authenticate to the server?  Is that
basically what you're saying?

  .''`.     Stephen Powell    <zlinuxman@wowway.com>
 : :'  :
 `. `'`

Reply to: