PermitRootLogin (was: Re: Tightening SSH access)

From: Carlos Moreno (moreno_at_mochima_dot_com_at_xx.xxx)
Date: 07/09/05

Next message: Philip Washington: "Re: curious wtmp date"

Previous message: Tony Lawrence: "Re: Tightening SSH access"
In reply to: Carlos Moreno: "Tightening SSH access"
Next in thread: Stephen Webster: "Re: PermitRootLogin"
Reply: Stephen Webster: "Re: PermitRootLogin"
Reply: Grant Coady: "Re: PermitRootLogin (was: Re: Tightening SSH access)"
Reply: jafar: "Re: PermitRootLogin (was: Re: Tightening SSH access)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 09 Jul 2005 11:50:19 -0400

I just tried configuring one of the servers to disallow root login.

One problem/weakness I noticed is that even though the login is
ultimately refused, typing the correct password and typing an
incorrect password produce different behaviours.

This is indeed a weakness, I believe, as it discloses the fact that
you got the correct password (I know that guessing the root password
should be extremely unlikely, but these are the odds that they're
playing when brute-forcely attempting to login as root, right?)

IMHO, if the server must wait until the time to refuse login, then
it should refuse it in the exact same way. A better solution, of
course, would be that as soon as root is entered as user name, it
should immediately close the connection (without even saying
goodbye). This could be done for the special case of root (but
perhaps not for the other users, as that would allow attackers to
know when they got a correct username).

Comments? (time to write to the OpenSSH guys with this feature
request? Or has this been addressed in the past?)

Thanks! And thanks to all that have replied so far!

Carlos

--

Next message: Philip Washington: "Re: curious wtmp date"

Previous message: Tony Lawrence: "Re: Tightening SSH access"
In reply to: Carlos Moreno: "Tightening SSH access"
Next in thread: Stephen Webster: "Re: PermitRootLogin"
Reply: Stephen Webster: "Re: PermitRootLogin"
Reply: Grant Coady: "Re: PermitRootLogin (was: Re: Tightening SSH access)"
Reply: jafar: "Re: PermitRootLogin (was: Re: Tightening SSH access)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Why is login so screwed up?
... ]When I set Linux up, I gave them the root password they asked for. ... I tried to login using the name I gave during setup, ... No linux system will refuse your ...
(comp.os.linux.security)
SUMARY: Cant login as root
... As a result, i was not able to log in as root, neither create a new ... Asunto: RE: Can't login as root ... > console. ... > If we log as any other user everythig is ok, but we cannot either do su-. ...
(Tru64-UNIX-Managers)
RE: Urgent help needed with Login problems after installation of FC1
... symptom trying to su back to root. ... After another minimal install, I was able to add my user and su to it and su ... I was unable to boot using the boot floppy. ... I did a minimal install and was able to login as root, ...
(Fedora)
Re: BSM, SSH, and Session ID
... Are you logging in as root through ssh or is that just the way it is ... Sun SSH/OpenSSH should fork off before the login because the sshd ... It should always be a different session, ...
(Focus-SUN)
Re: i can not log as a root
... >> how i can log as a user but not as a root. ... > Problem seems to be with the X session not your login but we'll try a few ... > select the OS/kernel that you boot to, ... > Looks like something is wrong with your Xsessions script or one of the ...
(linux.redhat)