On Mon, 12 Jan 2015, Przemek Klosowski wrote:
First of all, I agree with you that PermitRootLogin without-password is
preferable.
Good :)
The discussion I am interested in is whether direct password root login should
remain enabled.
With root logins, all you have on the client machine is the IP the connection
originated from.
$ ssh root@localhost
Last failed login: Mon Jan 12 17:25:40 EST 2015 from 61.174.50.244 on ssh:notty
There were 3862 failed login attempts since the last successful login.
Last login: Sat Jan 10 11:36:43 2015 from thinkpad.nohats.ca
root@bofh:~# tail /var/log/audit/audit.log
type=CRYPTO_SESSION msg=audit(1421103620.649:1371831): pid=7380 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start
direction=from-client cipher=aes128-ctr ksize=128 mac=hmac-md5-...@openssh.com spid=7381
suid=74 rport=60353 laddr=127 exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1
terminal=? res=success'
type=CRYPTO_SESSION msg=audit(1421103620.649:1371832): pid=7380 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start
direction=from-server cipher=aes128-ctr ksize=128 mac=hmac-md5-...@openssh.com spid=7381
suid=74 rport=60353 laddr=127 exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1
terminal=? res=success'
type=USER_AUTH msg=audit(1421103620.721:1371833): pid=7380 uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey_auth rport=60353 acct="root"
exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=? res=success'
type=USER_AUTH msg=audit(1421103620.721:1371834): pid=7380 uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=key algo=ssh-dss size=1024
fp=13:67:ff:08:9d:8d:4a:32:77:3e:0a:09:81:a6:bc:4a rport=60353 acct="root"
exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=? res=success'
type=USER_ACCT msg=audit(1421103620.741:1371835): pid=7380 uid=0 auid=4294967295 ses=4294967295
subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root"
exe="/usr/sbin/sshd" hostname=bofh.nohats.ca addr=::1 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1421103620.742:1371836): pid=7380 uid=0 auid=4294967295
ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session
fp=? direction=both spid=7381 suid=74 rport=60353 laddr=127.0.0.1 lport=22
exe="/usr/sbin/sshd" hostname=? addr=127.0.0.1 terminal=? res=success'
Note the: fp=13:67:ff:08:9d:8d:4a:32:77:3e:0a:09:81:a6:bc:4a
paul@bofh:~$ ssh-keygen -l -f .ssh/id_nohats
1024 13:67:ff:08:9d:8d:4a:32:77:3e:0a:09:81:a6:bc:4a p...@nohats.ca
(DSA)
Looks like me :)
More importantly, there is one root for all users---if one user needs to be
blocked (e.g. sysadmin quits), the only
solution is to change the root password everywhere. Individual accounts can be
controlled independently, especially in
setups with centralized account management like Kerberos/IPA.
Yes, I am not advocating root passwords :)
- allows more granularity in granting elevated privileges across a
set of machines and admins
That is true, but honestly the number of ways to get out of a restricted
sudo command list are pretty extensive. If you give them one command as
root you almost always give them a way to get a root shell.
Nothing in the current setup is preventing you from allowing non-root
remote access. Blocking direct root access does not "allow more
granularity".
You already have all the granularity if you want to use it.
But if the single-password root is enabled, why would anyone use those granular
methods?
I said install ssh keys for root, not passwords.
Paul
--
devel mailing list
devel@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/devel
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
