SSH via root

grant123 · Veteran Joined: 23 Mar 2005 Posts: 1099

Can I configure SSH to allow password access for one user and keys access for root?

Can I have SSH root access require a password and keys?

NeddySeagoon · Posted: Sun Mar 02, 2014 10:01 am Post subject:

grant123,

Any ssh access for root it doing it wrong.

Add users you want be be able to gain root access to the wheel group and install and set up sudo.
Users in the wheel group can now do

666threesixes666 · Posted: Sun Mar 02, 2014 10:09 am Post subject:

neddy are you endorsing sudo and disabling root login system wide? as outlined in the sudo talk page found here https://wiki.gentoo.org/wiki/Talk:Sudo#SUDO_VOODOO?????

NeddySeagoon · Posted: Sun Mar 02, 2014 10:47 am Post subject:

666threesixes666,

I disable remote access for root an all my systems but permit console access for root.
I can't remember the last time I used a root login (I've forgotten my root passwords).

To log in via ssh an attacker needs two things, a user name and a password.
If root logins are permitted, the attacker already has 50% of the information to log in.

In my opinion, making wheel group users sudo nopasswd is a step too far.
When I do the odd root command with sudo command, I like the reminder that the password prompt provides.
Its no extra security, since an attacker that is in a wheel users account already has a password collision.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

krinn · Watchman Joined: 02 May 2003 Posts: 7470

krinn · Watchman Joined: 02 May 2003 Posts: 7470

Anon-E-moose · Posted: Sun Mar 02, 2014 1:23 pm Post subject:

For the most part, I keep ssh locked to only access for the local network.

I have gone out of town and visited people, and when that happened,
I took the time to try and look at the range of IPs that would be available and set it up to allow only those.

I'm in the USA, I certainly wouldn't set up potential access for use outside this country.
I know everybodies different, but there are other things to do to tighten up security.
_________________
UM780, 6.12 zen kernel, gcc 13, openrc, wayland

Hu · Administrator Joined: 06 Mar 2007 Posts: 23093

When using sudo, I prefer sudo -i over sudo su -. It is shorter and both result in an interactive root shell, assuming the right password and permissions.

For requiring keys for root, sshd has the special option PermitRootLogin without-password, which prohibits password-based root authentication.

mv · Watchman Joined: 20 Apr 2005 Posts: 6780

NeddySeagoon · Posted: Sun Mar 02, 2014 7:07 pm Post subject:

mv,

grant123 · Veteran Joined: 23 Mar 2005 Posts: 1099

SirRobin2318 · Posted: Mon Mar 03, 2014 2:54 pm Post subject:

You can password protect your ssh keys when you generate them. So your sshd conf would only allow key authentication, but on the client side, when using that key, you'd be required to enter a password to unlock it.

grant123 · Veteran Joined: 23 Mar 2005 Posts: 1099

So if I configure the server with 'PermitRootLogin without-password' and specify a password when generating the keys, the client would be required to have the private key and enter the password when connecting? This password prompt is just like the normal SSH password prompt?

SirRobin2318 · Posted: Mon Mar 03, 2014 6:01 pm Post subject:

Yes, that's it. Give it a try to see if it works as intended. Note that the client can have ssh-agent to remember the password.

1clue · Advocate Joined: 05 Feb 2006 Posts: 2569

Try changing the port of sshd. Put it in the 5-digit range for ports, which basically means nobody is going to scan that high. IMO the absolutely biggest security hole in ssh is a default port.

I would go through any amount of effort to not allow root login from remote under any circumstance, for any reason. Sudo is enough. There are two things I really like about Ubuntu: The first is disabled root account. You can't even log in as root on the terminal. The second is that you can install it in about 5 minutes, but that's not part of this discussion. The presence of a root account which can be used as login is a security nightmare for any IT shop. When somebody gets fired, what you gonna do? Change all root passwords on all the UN*X boxes? That's not rational.

Root login having better passwords: I call BS on that. Root login has no forced password validation. I know several people who use 2 or 3 character passwords for root, and in one case I know both characters are on the home row. Worse yet, this is a business network, and he uses "some two-character combination on the home row" for all his accounts on that network, and had done so for several years. Or i should qualify: He did when I worked with him, and since that was a few years back he might have changed his behavior since.

I've ranted at people for bad passwords for my entire professional IT carreer, which started in the mid 90s. The only way they'll ever change their behavior is to be owned in a huge way with big consequences ($$$), where their bad security is the only possible explanation.

Hu · Administrator Joined: 06 Mar 2007 Posts: 23093

1clue · Advocate Joined: 05 Feb 2006 Posts: 2569

1clue · Advocate Joined: 05 Feb 2006 Posts: 2569

Sorry for the double post. I hadn't really finished my thought.

Premeditated time bombs: In my experience, the IT guy who gets fired is usually either lazy and doesn't do enough (not likely to bother with a back door or time bomb), or not clever enough (no chance of a real back door or time bomb) or suddenly snaps and gets nasty all of a sudden.

I'm not saying premeditated boobytraps are impossible, but rather that doing something like that is illegal at best and criminal in the right circumstances. And probably traceable if you're using sudo.

Unlimited rsync: I can't help but think that if you need this, you're doing it wrong. Allowing rsync to access any file on the system just seems like an invitation to black hats. Backups? Start it on the client and upload a file with an unprivileged account.

szatox · Advocate Joined: 27 Aug 2013 Posts: 3498

666threesixes666 · Posted: Tue Mar 04, 2014 9:15 am Post subject:

i was experimenting with pam today to throttle root failed login attempts. problem with what i was doing was it would lock everyone out of root, not specific ip addresses or what ever.... keys could still get in, and sudo su could still get in, but su was completely barred of entry. i have the clues and pieces to wrap together some sort of policy but i haven't really thought through what should be done with that if anything at all. personally i believe passwd -l root is a superior answer to what pam trys to address. i agree with 1clue about sudo.

ive been playing with the idea of

1. powerless user with ssh keys to login as sudo user
2. sudo user with no password set.
3. sudo su to get to root which also has no password login options.

or powerless user with keys to root user.

auth required pam_tally2.so deny=3 unlock_time=30 even_deny_root

added to /etc/pam.d/system-auth for my experiments.

idk, jailing ssh with fail2ban might be something for you to investigate.

mv · Watchman Joined: 20 Apr 2005 Posts: 6780

1clue · Advocate Joined: 05 Feb 2006 Posts: 2569

BitJam · Posted: Wed Mar 05, 2014 4:45 am Post subject:

OpenSSH/Cookbook/Automated Backup says:

grant123 · Veteran Joined: 23 Mar 2005 Posts: 1099

1clue · Advocate Joined: 05 Feb 2006 Posts: 2569