Mailinglist Archive: opensuse-security (636 mails)

< Previous Next >
Re: [suse-security] Root logins with ssh
Hi,

> I've been using root logins with ssh. Since ssh goes encrypted I
> don't know why this could be a security problem (question 1: please
> confirm that).

I don't login as root even when I am at the console, at a minimum it
prevents me from doing wrong things if I misstype a command for instance. I
allways use "sudo" instead.

> Anyway I've decided to change into the more (supposed) secure way: no
> root logins. I've done it. This is my current config:

Cleaver idea!

> roman@goliat:~ > rpm -qa |grep ssh
> openssh-1.2.2-30
>
> (yep, it's buggy, but I don't use scp & similiar)
>
> roman@goliat:~ > cat /etc/SuSE-release
> SuSE Linux 6.4 (i386)
> VERSION = 6.4
> root@goliat:/etc/ssh > grep PermitRoot sshd_config
> PermitRootLogin no
>
> Nevertheless I've noted the following behaviour when trying to login
> as root:
> 1) If supplied passwd is incorrect, sshd tell so.
> 2) If supplied passwd is right, you get:
> ROOT LOGIN REFUSED FROM roman
>
> So you could try to guest root passwd by brute force attack. I don't
> like that.
>
> Is this corrected on newer versions?

gergull@alca:~ > rpm -qa |grep ssh
openssh-2.3.0p1-0

gergull@alca:~ > cat /etc/SuSE-release
SuSE Linux 6.3 (i386)
VERSION = 6.3

gergull@alca:~ > sudo grep PermitRoot /etc/ssh/sshd_config
Password:
PermitRootLogin no

gergull@mentor:~ > ssh root@alca
root@alca's password: (wrong password)
Permission denied.

gergull@mentor:~ > ssh root@alca
root@alca's password: (correct password)
Permission denied.

It seem's that it's fixed on openssh-2.3.0p1-0.

rgrds,
Braulio Gergull



< Previous Next >
References