On Thu, 8 Jan 2015, Przemek Klosowski wrote:
If you want to fight that, you need to set PasswordAuthentication no and
insist that people start using ssh keypairs instead.
Singling out root is not affective against system compromises caused by
brutce forcing passwords.
There's another aspect of this, namely accountability.
There are many aspects in the global discussio of ssh keys versus sudo
versus passwords. I was trying to stick to the feature request and its
justification. Using root with ssh keys has a perfectly fine audit trail
that shows whether you or I logged in as root using ssh. We don't need
the sudo audit trail for that.
In realistic environments usually several people
have admin privileges and password-based root access is hard to manage---e.g. you need to change root
password everywhere when the sysadmin team changes.
I don't think anyone is arguing in favour of keeping root password based
logins as the default. It's just too dangerous.
The defense against password attacks is to not permit password authentication.
Disallowing root access will interfere with legitimate root logins, for
example automated backup logins, or remote administration tools like
puppet or ansible that require root access.
For the automation cases I like Chris Adams' suggestion:
PermitRootLogin without-password
I'm also fine with that. However, that does not address the ssh scripts
that are trying to login as various well-known or short usernames, most
of which will have sudo rights once broken. While this feature is named
"Set sshd(8) PermitRootLogin=no" what is really meant is "disable
password logins leading to root access due to dictionary attacks".
So if we truly want to address this feature, we should also disallow
non-root user password based ssh logins.
Paul
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
