Announcement

Collapse
No announcement yet.

Fedora 31 Will Finally Disable OpenSSH Root Password-Based Logins By Default

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Originally posted by Tomin View Post

    Nonsense. You can very well have a key login to server as root. It doesn't make it less safe. If you need to do regular stuff or don't need root permissions, you shouldn't use root. For using package manager and adjusting configuration root login over ssh with keys is fine.
    You called it nonsense and added a bunch of conditions in which root user login makes sense. Direct root login is discouraged by various standard security specifications including CIS for good reasons. I am not going to rehash them here

    Comment


    • #12
      Originally posted by DoMiNeLa10 View Post
      Root login should be disabled by default. Escalating privileges is the way to go.
      Never.

      I purposefully choose distros that leave root login intact. If I'm forced to use a distro that disables root, enabling it is the very first thing I do. No matter how many hoops I have to jump through. And if its really that hard to enable, I just choose a different distro.

      I hardly ever use the root account, that isn't it. Right now and always I'm browsing the web as a regular user. What happened is that I once had my user account blow up on a distro with the root account disabled and had to completely start over from scratch. Yeah, I could've created a second user account when the new install was first being put in, but why bother with that if the only reason for the second user account in the first place is so that if I need to fix something I log in to the clean account and it's root-enabled.

      Root being enabled is a must-have feature.

      Comment


      • #13
        Originally posted by ezst036 View Post
        I purposefully choose distros that leave root login intact.
        That's like saying you only use distos where the default desktop wallpaper is green. If the wallpaper isn't green, it's time to learn a new distro! LMAO you can't be serious.

        Originally posted by ezst036 View Post
        What happened is that I once had my user account blow up on a distro with the root account disabled and had to completely start over from scratch. Yeah, I could've created a second user account when the new install was first being put in, but why bother with that if the only reason for the second user account in the first place is so that if I need to fix something I log in to the clean account and it's root-enabled.

        Root being enabled is a must-have feature.
        This has nothing to do with disabling root login. Remote root login remains available by default. This news article is about logging in with a key instead of a password.

        Edit2: Even if root login was disabled, in the scenario you described with a borked account, you'd simply boot into single user mode (or from CD), mount the root FS and fix it, and/or enable root login. It's a basic sysadmin 101 type of procedure. Not sure why you'd want to 'start over from scratch'.
        Last edited by torsionbar28; 06-23-2019, 10:36 PM.

        Comment


        • #14
          Originally posted by ezst036 View Post

          Never.

          I purposefully choose distros that leave root login intact. If I'm forced to use a distro that disables root, enabling it is the very first thing I do. No matter how many hoops I have to jump through. And if its really that hard to enable, I just choose a different distro.

          I hardly ever use the root account, that isn't it. Right now and always I'm browsing the web as a regular user. What happened is that I once had my user account blow up on a distro with the root account disabled and had to completely start over from scratch. Yeah, I could've created a second user account when the new install was first being put in, but why bother with that if the only reason for the second user account in the first place is so that if I need to fix something I log in to the clean account and it's root-enabled.

          Root being enabled is a must-have feature.
          Sounds like you've never chrooted into your own system.

          Comment


          • #15
            Personally, I consider the default configuration for services like ssh to be entirely irrelevant. This is THE main public danger facing point of access for your system. If you don't go over it PERSONALLY, then you deserve to DDOS yourself by painting a bullseye on port22 to let all of China try to break in.

            1) Put it on a port besides 22, 222, or 2222. I know this is not a real security approach, but it is amazing how much of that persistent attack traffic goes away with just this simple adjustment. On my HOME network, which isn't even a big target, if I have ssh on port 222, I'll get around 5-10 connections from China every hour.
            2) No root password login. Key is ok if you really must, but definitely no password.
            3) fail2ban, and with a right good and paranoid configuration. 2 shots in an hour and banned for at least a few hours. This is one of the biggest pieces of your security, because it takes you from 10 million IP addresses attacking you relentlessly, to 10 million IP addresses getting 2 shots and stopping.

            Comment


            • #16
              Originally posted by ezst036 View Post

              Never.

              I purposefully choose distros that leave root login intact. If I'm forced to use a distro that disables root, enabling it is the very first thing I do. No matter how many hoops I have to jump through. And if its really that hard to enable, I just choose a different distro.

              I hardly ever use the root account, that isn't it. Right now and always I'm browsing the web as a regular user. What happened is that I once had my user account blow up on a distro with the root account disabled and had to completely start over from scratch. Yeah, I could've created a second user account when the new install was first being put in, but why bother with that if the only reason for the second user account in the first place is so that if I need to fix something I log in to the clean account and it's root-enabled.

              Root being enabled is a must-have feature.
              Try this;
              ssh -t [email protected] /bin/sh
              or if you want to skip a step;
              ssh -t [email protected] /bin/su

              Comment


              • #17
                Originally posted by milkylainen View Post
                It always boils down to what kind of admin is running the machine.
                Everything else is an illusion of security.
                This. You need to decide security on a server-by-server basis. Tighter security by default does make sense, as long as it's not too cumbersome for the average use case and the average user.

                Comment


                • #18
                  Originally posted by ezst036 View Post

                  Never.

                  I purposefully choose distros that leave root login intact. If I'm forced to use a distro that disables root, enabling it is the very first thing I do. No matter how many hoops I have to jump through. And if its really that hard to enable, I just choose a different distro.

                  I hardly ever use the root account, that isn't it. Right now and always I'm browsing the web as a regular user. What happened is that I once had my user account blow up on a distro with the root account disabled and had to completely start over from scratch. Yeah, I could've created a second user account when the new install was first being put in, but why bother with that if the only reason for the second user account in the first place is so that if I need to fix something I log in to the clean account and it's root-enabled.

                  Root being enabled is a must-have feature.
                  Wow..

                  Comment

                  Working...
                  X