Re: F22 System Wide Change: Set sshd(8) PermitRootLogin=no

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 01/08/2015 08:42 AM, Paul Wouters wrote:
On Thu, 8 Jan 2015, Jaroslav Reznik wrote:
== Detailed Description ==
Sshd(8) daemon allows remote users to login as 'root' by default. This
provides remote attackers an option to brute force their way into a system.
If you want to fight that, you need to set PasswordAuthentication no and
insist that people start using ssh keypairs instead.

Singling out root is not affective against system compromises caused by
brutce forcing passwords.
There's another aspect of this, namely accountability. In realistic environments usually several people have admin privileges and password-based root access is hard to manage---e.g. you need to change root password everywhere when the sysadmin team changes.

The defense against password attacks is to not permit password authentication.

Disallowing root access will interfere with legitimate root logins, for
example automated backup logins, or remote administration tools like
puppet or ansible that require root access.
For the automation cases I like Chris Adams' suggestion:
PermitRootLogin without-password

-- 
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux