Subject: Re: sshd Change: PermitRootLogin = no
To: None <tech-security@netbsd.org, current-users@netbsd.org>
From: Tero Kivinen <kivinen@ssh.fi>
List: current-users
Date: 08/31/2001 16:29:05
wonko@arkham.ws (Brian Hechinger) writes:
> On Fri, Aug 31, 2001 at 05:23:47PM +0900, Curt Sampson wrote:
> > to have inadvertantly changed that, since ssh's default policy as shipped
> > is to allow direct root logins.
> i never did understand that. this is a "security tool" that comes out of the
> box in a very insecure configuration.
I think it is better to change the root password to be secure instead
of turning off the root logins. I do not understand how it makes it
more secure to type in two (quite often identical) passwords instead
of one. I haven't actually heard for long time that a machine was
hacked in by guessing the correct password. Usually the hacking is
done by exploiting the bugs in the software or getting the password by
other means (sniffing the network, logging keystrokes from the
keyboard etc).
> > In order to bring us back to the state we were in before I've changed
> > the default sshd_config file (which is installed as /etc/sshd.conf)
> > to have the "PermitRootLogin" option set to "no". From this point on,
> > if you use direct root logins from the network via ssh, you will want
> > to flip this option back after new installs or re-installs in /etc.
> thank you.
Note, that this will also break all automatic adminstration scripts
people might have. Another option could be to change it to nopwd, in
which case you can login using the rsa keys etc (provided the public
keys are put to .ssh directory) but does not allow login with password
authentication. This does not break the adminstration scripts, but
still prevents adminstrators to login as root directly by typing the
password.
Of course it is actually safer to login directly as root, than using
the su command, as the su command is vulnerable to the timing attacks.
Login directly with ssh is not vulnerable to that kind of attack, as
the password is sent out as one request.
BTW, Can someone explain why the NEWSALT is not compiled in to the
passwd program by default. I am getting tired to turn it on and
recompile the passwd program every time I reinstall a machine. I think
less than 8 character long password is much bigger security problem
than sshd allowing root logins (I login as root quite often, mostly to
do scp -p root@master.host.com:/etc/master.password /etc/ or
similar...
I think the NEWSALT should be turned on by default if the password
typed in to the password prompt is longer than 8 characters. Or at
least make it option that can be turned on from some configuration
file (/etc/nsswitch.conf).
BTW2, what does it mean if I have "passwd: dns" in /etc/nsswitch.conf
(the file says it is supported).
--
kivinen@ssh.fi
SSH Communications Security http://www.ssh.fi/
SSH IPSEC Toolkit http://www.ssh.fi/ipsec/