[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: ssh allowing root login with no password



Probably would be better if you created another user with similar sudo
privileges and allow them to ssh as root. Letting root ssh can be a bad idea

On Mon, May 9, 2011 at 3:18 PM, Steven Buehler <steve ibushost com> wrote:

> I am trying to setup our servers to only allow logins with a public/private
> key pair.  2 of our machines have to have root login access with ssh and
> the
> rest, we will login as another account and su to root.  I just started with
> this company and on their boxes which range from version 5.1 to 5.5, if I
> open up the firewall to allow ssh access from anywhere, I can ssh to root
> without a password.  The only uncommented lines in the /etc/ssh/sshd_config
> are the following:
>
>
>
> Protocol 2
>
> SyslogFacility AUTHPRIV
>
> PasswordAuthentication no
>
> ChallengeResponseAuthentication no
>
> GSSAPIAuthentication yes
>
> GSSAPICleanupCredentials yes
>
> UsePAM no
>
> PubkeyAuthentication yes
>
> AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
> LC_MESSAGES
>
> AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
>
> AcceptEnv LC_IDENTIFICATION LC_ALL
>
> GatewayPorts yes
>
> X11Forwarding yes
>
> Subsystem       sftp    /usr/libexec/openssh/sftp-server
>
>
>
> I'm hoping that someone can lead me in the right direction as I can't
> figure
> this one out.  If this was only one machine, I would assume that it might
> have been hacked, but this is all of their servers and VM's that will allow
> me to ssh to them without a login/password and get into root.  Luckily,
> they
> have always had their (supposedly anyway) iptables set to only allow access
> from specific IP's.
>
>
>
> Thanks
>
> Steve
>
>
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request redhat com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
>



-- 
-------------------------------------------------------------------------------------------------------------------------------------
NOTICE: This message, including all attachments, is intended for the use of
the individual or entity to which it is addressed and may contain
information that is privileged, confidential and exempt from disclosure
under applicable law. If the reader of this message is not the intended
recipient, or the employee or agent responsible for delivering this message
to its intended recipient, you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited. If you
have received this communication in error, please notify the sender
immediately by replying "Received in error" and immediately delete this
message and all its attachments.
-------------------------------------------------------------------------------------------------------------------------------------


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]