Tuesday, October 8, 2013

Allow root ssh login with public key authentication only

Often, ssh is configured to disallow root to login directly. To login, root first logins as a non-privileged user, and then do a sudo to become root.

There can be many reasons why you don't want root to login directly. You may be concerned about security. Brute force attacks by guessing the password are common. In addition to security, you may be concerned about traceability. If there are more than 1 administrator on a system, and they can all login as root, then it is impossible to trace who had done what (after all, it is the same root account).

As an alternative, we can configure sshd such that root can remote login directly, but only with public key authentication. From the security perspective, public key authentication offers much better protection than password. If being able to trace the user is not that important (say there is only 1 root user), then you may wish to consider such a configuration. Note: remote login by root using password authentication is still disallowed.

  1. As root, edit the sshd daemon configuration file (/etc/ssh/sshd_config).
  2. Modify the PermitRootLogin and the PubkeyAuthentication parameters to have the following values.
    PermitRootLogin without-password
    PubkeyAuthentication yes
    
  3. Restart the sshd daemon.
    $ service sshd restart
    

1 comment:

Peterino said...

Nice post with interesting thoughts. Though, I personally really do discourage working as root altogether. Working as root is like using a Windows computer with the Administrator account. It's one of the reasons Windows viruses are so successful.

Each and every geek working as root is - sorry - irresponsible. It's no excuse that you know Linux systems better than anyone in your neighborhood. If you work as root you violate proper administration practice. You should always work as a non-privileged user and execute tasks using "sudo" or "su -c ...". With a decent sudo configuration you can even work around having to type your password for specific actions; this way you retain security for the rest of the system you maintain.

To sum up, my perferred configuration for sshd is:

PermitRootLogin no

PubkeyAuthentication yes

PasswordAuthentication no

... and put SSH public keys in ~/.ssh/authorized_keys of the user account on the server.

For corporate use I recommend making extensive use of the ~/.ssh/config file. (I learned this on your blog, btw. Thanks a bunch!) -- Rolled out a decent configuration you can allow all your developers to log in to machines in your infrastructure by simply typing "ssh servername". No passwords, no root abuse, more comfort, more security.