able to login as root via ssh :-(

Don Russell fedora at drussell.dnsalias.com
Tue Aug 8 02:05:20 UTC 2006


Todd Zullinger wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Don Russell wrote:
>   
>> FC5
>> openssh-4.3p2-4
>>
>> I was surprised to find that I can log in as root via ssh from my 
>> Windows machine to my FC5 box.
>>     
>
> Why?  Just curious what made you believe it was disabled by default.
>   

Well.... just ignorance on my part.... but ftp doesn't allow me log in 
as root, and I don't recall changing that setting. Call it "I expected 
any form of remote access to be consistent in denying root access". Of 
course they are different programs (ftp server/ssh server)... and I 
always see messages that say "... ssh in, then su - to root...." sort of 
implies that ssh to root directly won't work. But again, abad assumption 
on my part. :-(


>> I've always used ssh to log in as a user then 'su -' ....
>>
>> I don't see anything in /etc/ssh/sshd_config to prevent that, or
>> enable it for that matter?
>>     
>
> Line 39 in the default /etc/ssh/sshd_config:
>
> #PermitRootLogin yes
>
> The comments at the top indicate that commented values should
> represent the defaults.
>   

Now that it's pointed out to me, of course I see that. :-) Thank you.
One of these days I will learn how to do a case-insensitive search in 
vim :-(
I did /root and of course it came up empty... so I figured there must 
have been some other place...

>> What do I need to change so root can't be logged in via ssh? Or is
>> it letting me because it recognizes a key?
>>     
>
> Uncomment the above line and change yes to no.
>
> You might also want to disable password based authentication and only
> allow a few explicit users.  See PasswordAuthentication and AllowUsers
> in the sshd_config(5) man page.

That's a good idea.... I'm the only one that needs remote access.... and 
my logs are always showing people "knocking at the door" sometimes 
hundreds a day.


Thanks... now, if only it wouldn't bother asking for a password when the 
userid is 'root'.. like ftp simply denies the request right there. But, 
at least that little door is closed now. :-)





More information about the fedora-list mailing list