topic Re: ssh PermitRootLogin without-password in Secure OS Software for Linux

ssh PermitRootLogin without-password

Michael Steele_2 — Fri, 29 Apr 2011 18:42:23 GMT

Hello buckaroos!

I have 19 linux servers that refuse to take this change:

PermitRootLogin without-password
#PermitRootLogin yes

...they don't stop a ssh -l root hostname.

I've attached a file with the following output for each server, maybe one of you guys can see something that I don't.

1st Line: uname -a
2nd Line: ls -la /etc/ssh/sshd_config
3rd Line: ssh -V
4th Line: head -1 /etc/ssh/sshd_conifg
5th Line: cat /etc/redhat-release | awk....

Thanks in advance!!!

Re: ssh PermitRootLogin without-password

Michael Steele_2 — Fri, 29 Apr 2011 18:44:24 GMT

although a text file people have complained about not being able to upload via Mozilla. The first attach is mozilla, the 2nd is IE.

Re: ssh PermitRootLogin without-password

Steven Schweda — Fri, 29 Apr 2011 19:54:05 GMT

> [...] this change:

What was the _change_? Which file, where?
Showing "before" and "after" would reveal
more.

I'll guess. Did you comment out the line:
PermitRootLogin yes
?

These configuration files, as supplied, are
normally filled with default values, so
changing
PermitRootLogin yes
to
# PermitRootLogin yes
may be less effective than changing it to
PermitRootLogin no

In many installations, comments in the files
explain this.

Re: ssh PermitRootLogin without-password

Matti_Kurkela — Fri, 29 Apr 2011 21:25:20 GMT

If you have SSH keys configured for root on those 19 hosts, and whatever you're connecting from has the appropriate private key available (either directly or via SSH agent forwarding), then of course "PermitRootLogin without-password" will allow you to log in with "ssh -l root hostname".

That's what it means after all ("all authentication methods allowed except password authentication").

Are you thinking about "PermitRootLogin forced-commands-only", perhaps?

Or have you restarted sshd or sent it a "kill -HUP" after making the change?

Or are you confused because it still asks for a password? This is because SSH is designed not to reveal to a potential intruder that trying to log in as root with password authentication is futile: sshd hands over the connection to an Intruder-Time-Waste-o-Mat routine, which requests the password as usual, but even the right password won't be accepted.

MK

Re: ssh PermitRootLogin without-password

Michael Steele_2 — Fri, 29 Apr 2011 22:56:44 GMT

The way the other 86 linux boxes work is to deny deny root login.

"... has the appropriate private key available ..."

Correct - And taken care of.

".. have you restarted sshd or sent it a "kill -HUP" ..."

- yep - same procedure for 105 boxes - only these 19 fail.

Re: ssh PermitRootLogin without-password

Bob_Vance — Sun, 01 May 2011 12:36:58 GMT

This is interesting, but I'm still a little confused.
Still don't know exactly what you mean by
"...they don't stop a ssh -l root hostname."
Does it produce the hostname output
or does it ask for a password?
What behavior exactly are you looking for?

If you have SSH equivalence (shared keys) set up for 'root' between the two servers, then, of course, 'root' would not be queried for a password.

If you have *removed* equivalence, then it will stop and ask for a password.
Then, if the
PermitRootLogin without-password
is set, then the even correct password should fail.

Are you saying that it *accepts* the correct password and allows you to login (or run the command)?

As a side note, I don't see the point of the
PermitRootLogin without-password
(unless you have more than one root user, which I happen to have. see below.
)
If root's are equivalent, then login/command will SUCCEED without asking for pw.
If they are NOT equivalent, then pw will FAIL, so, in effect, root is denied.
How does that differ from
PermitRootLogin no
?

I have two servers "tetty", "kinky",
both with
sshd_config,v 1.59
& OpenSSH_3.6.1p2
.

I have *TWO* root users on each, 'root' and 'rb'.
(I do this to leave 'root' user totally alone.
My 'rb' login is id=0, but he has a different homedir and I can change .profile and other stuff without interfering with the default 'root' account.
)
Equivalence is set up for 'root' between "kinky" & "tetty".
Tetty changed to "without-password" :

tetty ## grep oot /etc/ssh/sshd_config
#PermitRootLogin yes
PermitRootLogin without-password

[root@kinky root]# id
uid=0(root) gid=0(root) ...

[root@kinky root]# ssh root@tetty hostname
tetty

[root@kinky root]# ssh rb@tetty hostname
rb@tetty's password: [correct password entered]
Permission denied, please try again.

bv

Re: ssh PermitRootLogin without-password

Bob_Vance — Wed, 04 May 2011 18:46:38 GMT

Brain fart on my part vis-a-vis "without-password" vs "no".

To wit:

PermitRootLogin no

denies root all the time, even if keys have been set up for equivalence.

Whereas

PermitRootLogin without-password

allows root, but *only* if keys are set up, or another form of authentication,'
but *not* password authentication;
it will deny even a valid password.

But that doesn't remove our question of what the exact behavior you want and what is actually happening, instead, in those 19 cases :>)

bv

Re: ssh PermitRootLogin without-password

Michael Steele_2 — Thu, 05 May 2011 17:47:33 GMT

Bob Vance, I'm looking at your congratulations to Wizard thread as we speak. And something stopped me before providing my usual rubber stamped "Well Done".

It was this thread.

And I am very glad you straightened it out.

:-)

Re: ssh PermitRootLogin without-password

Michael Steele_2 — Thu, 05 May 2011 17:50:17 GMT

Well, thank you all for responding. The problem seems to have grown to all of our platforms. So we've postponed the project to gather data and consult with others.

It looks we will be got in a dilemma of old versions of RHEL incompatible with newer version of SSH and just be red flagging them as odd.

Re: ssh PermitRootLogin without-password

Michael Steele_2 — Thu, 05 May 2011 17:51:06 GMT

caught in a delimma, ... :-)

Re: ssh PermitRootLogin without-password

Michael Steele_2 — Fri, 06 May 2011 17:43:09 GMT

Update - Apparently we are not even using the standard recommended version released for ssh. Apparently we inherited servers from a downsized group that had their own modifications and that's the problem.

Thanks you for your assistance.