[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: ssh allowing root login with no password



On Mon, 2011-05-09 at 14:18 -0500, Steven Buehler wrote:
> I am trying to setup our servers to only allow logins with a public/private
> key pair.  2 of our machines have to have root login access with ssh and the
> rest, we will login as another account and su to root.  I just started with
> this company and on their boxes which range from version 5.1 to 5.5, if I
> open up the firewall to allow ssh access from anywhere, I can ssh to root
> without a password.  The only uncommented lines in the /etc/ssh/sshd_config
> are the following:
> 
>  
> 
> Protocol 2   
> 
> SyslogFacility AUTHPRIV
> 
> PasswordAuthentication no  
> 
> ChallengeResponseAuthentication no  
> 
> GSSAPIAuthentication yes
> 
> GSSAPICleanupCredentials yes 
> 
> UsePAM no
> 
> PubkeyAuthentication yes
> 
> AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
> LC_MESSAGES
> 
> AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
> 
> AcceptEnv LC_IDENTIFICATION LC_ALL
> 
> GatewayPorts yes
> 
> X11Forwarding yes
> 
> Subsystem       sftp    /usr/libexec/openssh/sftp-server
> 
>  
> 
> I'm hoping that someone can lead me in the right direction as I can't figure
> this one out.  If this was only one machine, I would assume that it might
> have been hacked, but this is all of their servers and VM's that will allow
> me to ssh to them without a login/password and get into root.  Luckily, they
> have always had their (supposedly anyway) iptables set to only allow access
> from specific IP's.
> 
>  
> 
> Thanks
> 
> Steve
> 
>  
> 

Hi Steve,

In regards of authentication, by default in sshd_config you should have
the following opions:
PasswordAuthentication yes
UsePAM yes
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
#PermitRootLogin yes		(notice # at the beginning of the line)

This should allow only regular users with local accounts to ssh to the
server. Root is not allowed by default here. If you want allow root with
password, uncomment #PermitRootLogin yes line.

You can find more info in man (5) sshd_config.
I hope this will help.

Regards,
Ges



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]