able to login as root via ssh :-(
Don Russell
fedora at drussell.dnsalias.com
Tue Aug 8 02:05:20 UTC 2006
Todd Zullinger wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Don Russell wrote:
>
>> FC5
>> openssh-4.3p2-4
>>
>> I was surprised to find that I can log in as root via ssh from my
>> Windows machine to my FC5 box.
>>
>
> Why? Just curious what made you believe it was disabled by default.
>
Well.... just ignorance on my part.... but ftp doesn't allow me log in
as root, and I don't recall changing that setting. Call it "I expected
any form of remote access to be consistent in denying root access". Of
course they are different programs (ftp server/ssh server)... and I
always see messages that say "... ssh in, then su - to root...." sort of
implies that ssh to root directly won't work. But again, abad assumption
on my part. :-(
>> I've always used ssh to log in as a user then 'su -' ....
>>
>> I don't see anything in /etc/ssh/sshd_config to prevent that, or
>> enable it for that matter?
>>
>
> Line 39 in the default /etc/ssh/sshd_config:
>
> #PermitRootLogin yes
>
> The comments at the top indicate that commented values should
> represent the defaults.
>
Now that it's pointed out to me, of course I see that. :-) Thank you.
One of these days I will learn how to do a case-insensitive search in
vim :-(
I did /root and of course it came up empty... so I figured there must
have been some other place...
>> What do I need to change so root can't be logged in via ssh? Or is
>> it letting me because it recognizes a key?
>>
>
> Uncomment the above line and change yes to no.
>
> You might also want to disable password based authentication and only
> allow a few explicit users. See PasswordAuthentication and AllowUsers
> in the sshd_config(5) man page.
That's a good idea.... I'm the only one that needs remote access.... and
my logs are always showing people "knocking at the door" sometimes
hundreds a day.
Thanks... now, if only it wouldn't bother asking for a password when the
userid is 'root'.. like ftp simply denies the request right there. But,
at least that little door is closed now. :-)
More information about the fedora-list
mailing list