LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 16, 2012

Book review: Open Advice

Linux support for ARM big.LITTLE

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

PermitRootLogin without-password

PermitRootLogin without-password

Posted May 15, 2008 10:02 UTC (Thu) by gvy (guest, #11981)
In reply to: Brute-Force SSH Server Attacks Surge (InformationWeek) by tialaramex
Parent article: Brute-Force SSH Server Attacks Surge (InformationWeek) 

Recent OpenSSH 4.x support restricting root to key-only auth; that's how it's set up by
default in ALT Linux 4.0.  Previous ALT releases used to "PermitRootLogin no" and recommend
sudo/su -- preferably with separate user in wheel group since one of control(8)-ed settings
for /bin/su and /usr/bin/sudo file permissions is "suid, executable by wheel group, no world
perms at all".

I think I've heard of 1 (one) case when unsuspecting ALT Linux user would get his root account
bruteforced -- due to offline system with easy password and manually enabled remote root login
being brought online.

Still AllowUsers/AllowGroups is basically a must on multiuser systems where not literally
everyone must have remote access; as mentioned, IP filtering and weird port are also worthy
things to consider doing, depending on one's situation.  Port knocking techniques sometimes
come handy too.

(Log in to post comments)

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds