Secure OS Software for Linux
cancel
Showing results for 
Search instead for 
Did you mean: 

ssh PermitRootLogin without-password

SOLVED
Go to solution
Michael Steele_2
Honored Contributor

ssh PermitRootLogin without-password

Hello buckaroos!

I have 19 linux servers that refuse to take this change:

PermitRootLogin without-password
#PermitRootLogin yes

...they don't stop a ssh -l root hostname.

I've attached a file with the following output for each server, maybe one of you guys can see something that I don't.

1st Line: uname -a
2nd Line: ls -la /etc/ssh/sshd_config
3rd Line: ssh -V
4th Line: head -1 /etc/ssh/sshd_conifg
5th Line: cat /etc/redhat-release | awk....

Thanks in advance!!!
Support Fatherhood - Stop Family Law
10 REPLIES
Michael Steele_2
Honored Contributor

Re: ssh PermitRootLogin without-password

although a text file people have complained about not being able to upload via Mozilla. The first attach is mozilla, the 2nd is IE.
Support Fatherhood - Stop Family Law
Steven Schweda
Honored Contributor

Re: ssh PermitRootLogin without-password

> [...] this change:

What was the _change_? Which file, where?
Showing "before" and "after" would reveal
more.

I'll guess. Did you comment out the line:
PermitRootLogin yes
?

These configuration files, as supplied, are
normally filled with default values, so
changing
PermitRootLogin yes
to
# PermitRootLogin yes
may be less effective than changing it to
PermitRootLogin no

In many installations, comments in the files
explain this.
Matti_Kurkela
Honored Contributor

Re: ssh PermitRootLogin without-password

If you have SSH keys configured for root on those 19 hosts, and whatever you're connecting from has the appropriate private key available (either directly or via SSH agent forwarding), then of course "PermitRootLogin without-password" will allow you to log in with "ssh -l root hostname".

That's what it means after all ("all authentication methods allowed except password authentication").

Are you thinking about "PermitRootLogin forced-commands-only", perhaps?

Or have you restarted sshd or sent it a "kill -HUP" after making the change?

Or are you confused because it still asks for a password? This is because SSH is designed not to reveal to a potential intruder that trying to log in as root with password authentication is futile: sshd hands over the connection to an Intruder-Time-Waste-o-Mat routine, which requests the password as usual, but even the right password won't be accepted.

MK
MK
Michael Steele_2
Honored Contributor

Re: ssh PermitRootLogin without-password

The way the other 86 linux boxes work is to deny deny root login.

"... has the appropriate private key available ..."

Correct - And taken care of.

".. have you restarted sshd or sent it a "kill -HUP" ..."

- yep - same procedure for 105 boxes - only these 19 fail.
Support Fatherhood - Stop Family Law
Bob_Vance
Esteemed Contributor

Re: ssh PermitRootLogin without-password

This is interesting, but I'm still a little confused.
Still don't know exactly what you mean by
"...they don't stop a ssh -l root hostname."
Does it produce the hostname output
or does it ask for a password?
What behavior exactly are you looking for?

If you have SSH equivalence (shared keys) set up for 'root' between the two servers, then, of course, 'root' would not be queried for a password.

If you have *removed* equivalence, then it will stop and ask for a password.
Then, if the
PermitRootLogin without-password
is set, then the even correct password should fail.

Are you saying that it *accepts* the correct password and allows you to login (or run the command)?


As a side note, I don't see the point of the
PermitRootLogin without-password
(unless you have more than one root user, which I happen to have. see below.
)
If root's are equivalent, then login/command will SUCCEED without asking for pw.
If they are NOT equivalent, then pw will FAIL, so, in effect, root is denied.
How does that differ from
PermitRootLogin no
?


I have two servers "tetty", "kinky",
both with
sshd_config,v 1.59
& OpenSSH_3.6.1p2
.

I have *TWO* root users on each, 'root' and 'rb'.
(I do this to leave 'root' user totally alone.
My 'rb' login is id=0, but he has a different homedir and I can change .profile and other stuff without interfering with the default 'root' account.
)
Equivalence is set up for 'root' between "kinky" & "tetty".
Tetty changed to "without-password" :

tetty ## grep oot /etc/ssh/sshd_config
#PermitRootLogin yes
PermitRootLogin without-password

[root@kinky root]# id
uid=0(root) gid=0(root) ...

[root@kinky root]# ssh root@tetty hostname
tetty

[root@kinky root]# ssh rb@tetty hostname
rb@tetty's password: [correct password entered]
Permission denied, please try again.



bv
"The lyf so short, the craft so long to lerne." - Chaucer
Bob_Vance
Esteemed Contributor
Solution

Re: ssh PermitRootLogin without-password

Brain fart on my part vis-a-vis "without-password" vs "no".

To wit:

PermitRootLogin no

denies root all the time, even if keys have been set up for equivalence.

Whereas

PermitRootLogin without-password

allows root, but *only* if keys are set up, or another form of authentication,'
but *not* password authentication;
it will deny even a valid password.


But that doesn't remove our question of what the exact behavior you want and what is actually happening, instead, in those 19 cases :>)


bv
"The lyf so short, the craft so long to lerne." - Chaucer
Michael Steele_2
Honored Contributor

Re: ssh PermitRootLogin without-password

Bob Vance, I'm looking at your congratulations to Wizard thread as we speak. And something stopped me before providing my usual rubber stamped "Well Done".

It was this thread.

And I am very glad you straightened it out.

:-)
Support Fatherhood - Stop Family Law
Michael Steele_2
Honored Contributor

Re: ssh PermitRootLogin without-password

Well, thank you all for responding. The problem seems to have grown to all of our platforms. So we've postponed the project to gather data and consult with others.

It looks we will be got in a dilemma of old versions of RHEL incompatible with newer version of SSH and just be red flagging them as odd.
Support Fatherhood - Stop Family Law
Michael Steele_2
Honored Contributor

Re: ssh PermitRootLogin without-password

caught in a delimma, ... :-)
Support Fatherhood - Stop Family Law
Michael Steele_2
Honored Contributor

Re: ssh PermitRootLogin without-password

Update - Apparently we are not even using the standard recommended version released for ssh. Apparently we inherited servers from a downsized group that had their own modifications and that's the problem.

Thanks you for your assistance.
Support Fatherhood - Stop Family Law