Trisquel allowing remote login as root?
- Inicie sesión o regístrese para enviar comentarios
Hey.
So, following my issue of my laptop using too much CPU, I decided to take a look at security and noticed that running RKHunter gave me a warning on SSH login.
I noticed that /etc/ssh/sshd_config had these 2 lines:
"PermitRootLogin without_password"
"StrictModes Yes"
I immediately changed them to "no" and RKHUnter no longer complains on this.
Is this the default of every installation?
I am actually thinking that ssh shouldn't even be installed by default, since most people who install a desktop OS won't be using ssh. Especially since Trisquel (as most GNU/Linux distros) comes without a firewall by default.
Anyway, interested in knowing if this was supposed to be this way or not.
I am planning on doing that, though it really is not all important (I have my firewall blocking access on SSH port anyway).
What worried me was that if this is the default, people are at danger when making a fresh install of Trisquel, AND if it is NOT the default, I might have done something wrong that changed those values.
So, anyway, I thought I could alert you guys, and get an explanation on this, before opening a bug ticket. If someone can confirm if this is the default or not, and how much danger this could represent, I would gladly open the bug.
If I am mistaken and this is not dangerous at all, I apologize for bothering you :)
From the manual:
PermitRootLogin
Specifies whether root can log in using ssh(1). The argument must be “yes”, “prohibit-password”, “without-password”, “forced-commands-only”, or “no”. The default is “prohibit-password”.
If this option is set to “prohibit-password” or “without-password”, password and keyboard-interactive authentication are disabled for root.
If this option is set to “forced-commands-only”, root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root.
If this option is set to “no”, root is not allowed to log in.
It's not as bad as I thought, but for me it's a useless thing in a desktop. Anyway, it seems to not be as bad as I thought (even if even recently a bug was found, read this: OpenSSH 7.0 contained a logic error in PermitRootLogin=prohibit-password/without-password that could, depending on compile-time configuration, permit password authentication to root while preventing other forms of authentication.)
Only "openssh-client" is part of Trisquel 7's default install, not "openssh-server".
I can't be 100% sure at this point, but I don't remember installing the server on my laptop and it is installed (just checked). So I assume it was in the default intallation. Again, I can't be 100% sure, maybe I installed and forgot it, though it's weird seeing I NEVER used ssh. If some more people (with a fresh install of Trisquel) can confirm mine and Magic Banana's point, it would be nice.
The ssh server used to be part of the default install but it no longer is.
Thanks.
So, supposedly it is not installed by default in Trisquel 7? Only in 6?
I think this was a fresh install, not an update... hum... Might be mistaken. Anyway.
Not sure in which version it got changed. Looks like the bug is filed against version 6 for what it's worth.
At least, the "trisquel", "trisquel-base", "trisquel-recommended", ... meta-packages do not depend on "ssh", "openssh-server" or "openssh-sftp-server". And they are suppose to define the default system. Also, the ISO only includes the OpenSSH client:
$ wget -qO - http://cdimage.trisquel.info/trisquel-images/trisquel_7.0_amd64.iso.manifest | grep ssh
openssh-client 1:6.6p1-2ubuntu2+7.0trisquel1
ssh-askpass-gnome 1:6.6p1-2ubuntu2+7.0trisquel1
openssh-server is installed by default on Debian. I am pretty sure on Trisquel 7 only the client (not the server) is there on a default installation.
Absolute openBSD says:
«You're offered a chance to disable root logins over SSH. Use this default. The root account should never be permitted to log in via SSH, unless using public key authentication, and even then, those logins should be restricted. For the reasons to avoid root logins over SSH, do an Internet search for "Hail Mary cloud."»
http://bsdly.blogspot.sg/2013/10/the-hail-mary-cloud-and-lessons-learned.html
- Inicie sesión o regístrese para enviar comentarios