Announcement

Collapse
No announcement yet.

Fedora 31 Will Finally Disable OpenSSH Root Password-Based Logins By Default

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Fedora 31 Will Finally Disable OpenSSH Root Password-Based Logins By Default

    Phoronix: Fedora 31 Will Finally Disable OpenSSH Root Password-Based Logins By Default

    Fedora 31 will harden up its default configuration by finally disabling password-based OpenSSH root log-ins, matching the upstream default of the past four years and behavior generally enforced by other Linux distributions...

    http://www.phoronix.com/scan.php?pag...-Root-Pass-Def

  • #2
    Good move! Sensible security-sensitive defaults FTW.

    Comment


    • #3
      With a sensible root password it should be safe anyway, no?

      Comment


      • #4
        Originally posted by Spam View Post
        With a sensible root password it should be safe anyway, no?
        The username is very predictable anyway so it's always going to be better to login with ssh key (not password) as a regular user and sudo to root when you need elevated access. If you must use root, I would switch to using ssh key instead of a password and disable password based access

        Comment


        • #5
          Originally posted by Spam View Post
          With a sensible root password it should be safe anyway, no?
          surely a sensible password would be too hard to remember / too cumbersome to enter

          Comment


          • #6
            Root login should be disabled by default. Escalating privileges is the way to go.

            Comment


            • #7
              Originally posted by Spam View Post
              With a sensible root password it should be safe anyway, no?
              If you are being tricked into talking to a rouge server (via e.g a MITM) then they now hold your password. And to have a sensible password (say 40 characters) then it's much easier to use keys instead anyway. Password for SSH should only be used for first time setup on a new machine if you have no other means of transferring files to it (so you can put the public key on the server).

              Comment


              • #8
                Originally posted by RahulSundaram View Post
                The username is very predictable anyway so it's always going to be better to login with ssh key (not password) as a regular user and sudo to root when you need elevated access. If you must use root, I would switch to using ssh key instead of a password and disable password based access
                Nonsense. You can very well have a key login to server as root. It doesn't make it less safe. If you need to do regular stuff or don't need root permissions, you shouldn't use root. For using package manager and adjusting configuration root login over ssh with keys is fine.

                Comment


                • #9
                  It always boils down to what kind of admin is running the machine.
                  Everything else is an illusion of security.

                  Comment


                  • #10
                    I have been administering machines since you could log into the root account over telnet by default, and while being able to log into root over SSH is very convenient, it's far from secure even on an internal network. In this day and age there is no reason not to have an individual account and use sudo, and if you really need a root shell there is always "sudo -s". If you run into a situation where a machine is so broken that you can't use anything but a root login, you should have physical access to that machine (and probably pull it off of the network in case it's infected in some way).

                    Comment

                    Working...
                    X