Re: disabling root ssh, and ssh password authentification?

From: Doug O'Leary (dkoleary_at_olearycomputers.com)
Date: 11/10/05 

Date: Thu, 10 Nov 2005 05:40:01 -0800

On 2005-11-09, news@celticbear.com <news@celticbear.com> wrote:
>
>
> Over in comp.os.linux.networking I got advice to enhance security by:
> "disable ssh root access"
> and
> "Typically you'd better disable completely any password
> authentification via ssh"
>
> The question I have is, what good would disabling root ssh access do? I
> mean, if someone has the root password anyway, which they'd have to
> have to ssh, they could probably get in with a different account and
> just "su -" right?
>
> I found this advice on how to disable root ssh. Is this right?
> http://forums.fedoraforum.org/archive/index.php/t-47795.html
>
> The other suggestion, disable any ssh password verification, how?
> And why?
> I mean, would ssh still work? What would do password authentification?
> What's the alternative?
>
> If anyone has any additional advice about this, I'd be very
> appreciative!
> Thanks
> Liam
>

Hey;

As other posters mentioned, you generally want to disable direct root
login so you have at least two authentication points before giving the
keys to your system. Security protocols define authentication factors:

1. What you have (security token)
2. What you know (password/passphrase)
3. What you are (biometrics - finger prints/retinal scans, etc)

The more factors that you employ the better your security. Passwords
by themselves are only one factor. So, disabling direct root login
gives you two one-factor logins. Assuming your logging is configured
correctly, it also gives you another good security concept -
nonrepudiation. This means that whoever logged in as root can't say
"I didn't do that" because you have the log files to prove it.

Disabling ssh password authentication completely actually won't do
much unless you disable telnet access as well (also a good idea, BTW).
The most used alternative to password authentication is public key
authentication. This is actually pretty cool stuff. PKA provides
2-factor authentication because it's something you have (public/private
key pair) and something you know (the passphrase to the key)

The disadvantage to disabling direct root logins is that you, as the
administrator, are going to have a lot more work to do. There's some
amount of setup required to enable PKA to an account. It is literally
impossible for that setup to happen by accident.

That last bit is why, on a case by case basis, I tend to allow direct
root login via PKA only. You still don't have the nonrepudiation;
however, you do have the 2-factor authentication. If you have a very
limited number of keys in ~root/.ssh/authorized_keys file, then
you have at least a place to start when trying to find out who did
what. That probably wouldn't stand up in a court case; however,
it does make day to day administration quite a bit easier.

The O'Reilly book: "SSH: The Secure Shell: The Definitive Guide"
(ISBN: 0-596-00011-1) is an incredibly good reference. I strongly
suggest getting it if you're planning on doing anything beyond standard
password based authentication via ssh...

Oh, as far as anyone w/root password being able to access root
via su, you can tweak that to allow only users belonging to a specific
group. Most UNIX variants use the wheel group membership; however,
a quick scan of the su man page seems to indicate that's not the case
for Linux - at least not my Mandrake 10.0 linux. There is a
/etc/security directory that may or may not exist on your system that
looks promising...

HTH;

Doug 

-- 
--------
Senior UNIX Admin
O'Leary Computer Enterprises
dkoleary@olearycomputers.com (w) 630-904-6098 (c) 630-248-2749
resume:  http://home.comcast.net/~dkoleary/resume.html

Relevant Pages

  • Re: disabling root ssh, and ssh password authentification?
    ... >> The question I have is, what good would disabling root ssh access do? ... > Disabling ssh password authentication completely actually won't do ...
    (comp.os.linux.misc)
  • Re: Enabling telnet, ftp, pop3 for root...
    ... if you allow root login without ... Where did I say ANYTHING about not using authentication. ... If you dissallow direct root login, ... The ssh account is only used for remote login. ...
    (alt.os.linux)
  • Re: Rhosts/shosts for OpenSSH 3.4p1
    ... >the ssh with root suid settings. ... >I am running this way without issues and hostbased authentication ... > if you don't want to use these authentication methods. ...
    (comp.security.ssh)
  • Re: using ssh authentication with sudo
    ... when using ssh authentication I tend to ssh straight into root. ... I have my sshd daemons configured to only allow root login via keys, no passwords allowed, so it's pretty secure. ... This amounts to the same thing as you are talking about if giving full root access but in case you were trying to use sudo to grant elevated privs to just a few commands, then I would suggest looking at the pam for sudo and seeing if there is a module to allow key authentication. ...
    (SSH)
  • sshd config - WAS Secure entry into remote systems
    ... >>servers, then opening up the firewall for either ssh or VPN. ... > Also disable roots use of ssh so no one can go straight in as root. ... I'd like to set up shared key authentication. ...
    (Fedora)