Help - Search - Members - Calendar
Full Version: hmm disabling root login attempts
The Planet Forums > Security > General Security > UNIX Security
atm2000
Jan 13 2005, 01:50 PM
looked at the sticky, and this is what it says:

I can create another group and then su to root. not a problem. it's been done already.

so when i go into the sshd_config fiile, I go to the line:
#LoginGraceTime 120
#PermitRootLogin yes
#StrictModes yes

it's been change to:
#LoginGraceTime 120
#PermitRootLogin yes
#StrictModes yes

is there anything else I'm missing?
edit: first post! woohooo! icon_smile.gif
klaude
Jan 13 2005, 01:57 PM
Welcome to the forums!

Add the line "PermitRootLogin no" to your sshd_config file to disable root login via SSH.
atm2000
Jan 13 2005, 02:00 PM
QUOTE (klaude)
Welcome to the forums!

Add the line "PermitRootLogin no" to your sshd_config file to disable root login via SSH.


thanks Klaude!


one other thing I caught:
"
uncomment it and change it to PermitRootLogin no
then restart SSHD with /etc/rc.d/init.d/sshd restart
"

I had to restart sshd. ! icon_biggrin.gif
atm2000
Jan 13 2005, 02:46 PM
check, it's still letting me login as root. icon_sad.gif

I've updated the shhd_config file and restarted sshd. still doesn't work.

Ideas?
klaude
Jan 13 2005, 02:55 PM
Do you have any other uncommented PermitRootLogin files in sshd_config? To be sure are you editing the file /setc/ssh/sshd_config?
sightz
Jan 13 2005, 03:05 PM
While we are on the subject, does anyone know once you have direct root login disabled, if you are able to login as root using a public/private key pair?

I have been experimenting with it, but without much success.

I need to be able to run WinSCP, but it is only useful if you can log in as root.

Ideas? Step by step walkthroughs?
atm2000
Jan 13 2005, 03:08 PM
QUOTE (klaude)
Do you have any other uncommented PermitRootLogin files in sshd_config? To be sure are you editing the file /setc/ssh/sshd_config?


the file i am editing is: /etc/ssh/sshd_config and not the /setc/ssh/sshd_config
atm2000
Jan 13 2005, 03:09 PM
QUOTE (sightz)
While we are on the subject, does anyone know once you have direct root login disabled, if you are able to login as root using a public/private key pair?

I have been experimenting with it, but without much success.

I need to be able to run WinSCP, but it is only useful if you can log in as root.

Ideas? Step by step walkthroughs?


wouldn't su to root after you logged in, work as well? :dunno:
klaude
Jan 13 2005, 03:11 PM
QUOTE (atm2000)
QUOTE (klaude)
Do you have any other uncommented PermitRootLogin files in sshd_config? To be sure are you editing the file /setc/ssh/sshd_config?


the file i am editing is: /etc/ssh/sshd_config and not the /setc/ssh/sshd_config


Gah thats my bad. It begins with /etc. icon_smile.gif
Root
Jan 13 2005, 03:12 PM
QUOTE (atm2000)
QUOTE (klaude)
Do you have any other uncommented PermitRootLogin files in sshd_config? To be sure are you editing the file /setc/ssh/sshd_config?


the file i am editing is: /etc/ssh/sshd_config and not the /setc/ssh/sshd_config

That is correct. I'm pretty sure Kevin meant /etc/.
atm2000
Jan 13 2005, 03:15 PM
QUOTE (klaude)
QUOTE (atm2000)
QUOTE (klaude)
Do you have any other uncommented PermitRootLogin files in sshd_config? To be sure are you editing the file /setc/ssh/sshd_config?


the file i am editing is: /etc/ssh/sshd_config and not the /setc/ssh/sshd_config


Gah thats my bad. It begins with /etc. icon_smile.gif


hmmm....i thought so. icon_biggrin.gif

now, what have i missed. I did everything as expected, this is what I have for the sshd_config file (via cut/paste:)
# Authentication:

#LoginGraceTime 120
#PermitRootLogin no
#StrictModes yes


then I did a restart.... welp!
sightz
Jan 13 2005, 03:15 PM
QUOTE (atm2000)
wouldn't su to root after you logged in, work as well? :dunno:


From WinSCP faq:
"But most of the servers (maybe all) require TTY terminal to execute su command. It makes them sure that a human is sitting by the client. Unfortunatelly WinSCP cannot use TTY terminal, because it is not compatible both with SFTP and SCP protocol."

Is there any other remote GUI file browser?
Blue|Fusion
Jan 13 2005, 03:17 PM
QUOTE (atm2000)
QUOTE (klaude)
QUOTE (atm2000)
QUOTE (klaude)
Do you have any other uncommented PermitRootLogin files in sshd_config? To be sure are you editing the file /setc/ssh/sshd_config?


the file i am editing is: /etc/ssh/sshd_config and not the /setc/ssh/sshd_config


Gah thats my bad. It begins with /etc. icon_smile.gif


hmmm....i thought so. icon_biggrin.gif

now, what have i missed. I did everything as expected, this is what I have for the sshd_config file (via cut/paste:)
# Authentication:

#LoginGraceTime 120
#PermitRootLogin no
#StrictModes yes


then I did a restart.... welp!


Uncomment PermitRootLogin no (delete the # before it).
atm2000
Jan 13 2005, 03:22 PM
QUOTE (Blue|Fusion)
QUOTE (atm2000)
QUOTE (klaude)
QUOTE (atm2000)
QUOTE (klaude)
Do you have any other uncommented PermitRootLogin files in sshd_config? To be sure are you editing the file /setc/ssh/sshd_config?


the file i am editing is: /etc/ssh/sshd_config and not the /setc/ssh/sshd_config


Gah thats my bad. It begins with /etc. icon_smile.gif


hmmm....i thought so. icon_biggrin.gif

now, what have i missed. I did everything as expected, this is what I have for the sshd_config file (via cut/paste:)
# Authentication:

#LoginGraceTime 120
#PermitRootLogin no
#StrictModes yes


then I did a restart.... welp!


Uncomment PermitRootLogin no (delete the # before it).


doh! But when I updated the sshd_config gile with the uncommented, restarted, and it's still letting me login as root! icon_mad.gif
Blue|Fusion
Jan 13 2005, 03:27 PM
Check for another PermitRootLogin with "yes" somewhere else in the file.
atm2000
Jan 13 2005, 03:30 PM
QUOTE (Blue|Fusion)
Check for another PermitRootLogin with "yes" somewhere else in the file.


i believe there is only one instance, but checked anyhow and nadda.


icon_cry.gif
atm2000
Jan 13 2005, 03:37 PM
QUOTE (atm2000)
QUOTE (Blue|Fusion)
Check for another PermitRootLogin with "yes" somewhere else in the file.


i believe there is only one instance, but checked anyhow and nadda.


icon_cry.gif


I did it at last!!!!!!! woohoo!

here's the changes:
#LoginGraceTime 120
PermitRootLogin no
StrictModes no

I said "no" to the StrictMode argruement!
chrisbliss18
Jan 30 2006, 04:26 PM
QUOTE (sightz)
While we are on the subject, does anyone know once you have direct root login disabled, if you are able to login as root using a public/private key pair?

I have been experimenting with it, but without much success.

I need to be able to run WinSCP, but it is only useful if you can log in as root.

Ideas? Step by step walkthroughs?

Don't use "PermitRootLogin no". Use "PermitRootLogin without-password" instead. This will allow logins by root only when a password is not used (I.E. when an RSA key is being used as the authentication method). I have this set on the servers that I administrate to allow server to server copying from/to root-protected areas.

+++++ update +++++
I just realized that I am a whole year late on this. Hopefully this helps someone.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.