dannyman.toldme.com

WARNING: PermitRootLogin defaults to “yes”

For many yers I have used FreeBSD nearly exclusively. In the BSD tradition, root is pretty well protected — root can not log in from remote unless you put some effort into hooking that up, and local users can only run su if they are members of the wheel group. Because of the nifty sudo tool and my own disinterest in memorizing any more passwords than necessary, I have tended to remain unconcerned with the root password, setting it and storing the thing somewhere, which is a pain, or setting it to something dumb, or just not setting it, depending on the security needs of a given system.

I recently learned a painful lesson from Fedora: not all unices are as protective of the root user. Sure, I knew that in Linux any local user can run su, but OpenSSH isn’t going to allow people to log in as root, right? Wrong!

I had a test box from ASA that shipped with FC3. I made it accessible over the Internet. I added a user for myself, gave him sudo access, and removed the vendor-supplied non-root user. By default, Fedora Core has a firewall that denies inbound SSH access. I took that as evidence that Fedora was operating on the principle of least privilege, and reconfigured the firewall to allow inbound SSH, and let the machine be. A week later I logged in, and kept getting out of memory errors. Before long, I figured out that the box was owned by hackers, and shut it down.

In discussing the event with colleagues, I learned that Fedora defaults to allowing root to log in via SSH. And root’s password had been left, by me, to the default vendor password, which is well-known. This seems bass ackwards to me — by default you firewall off SSH, but you allow root to login? Okay, harsh lesson. Fedora is stupid. And I am stupid for not always setting a hard root password.

But it turns out, Fedora isn’t inventing the stupidity, the stupidity apperently ships with OpenSSH. Let us RTFM:

FreeBSD

     PermitRootLogin
             Specifies whether root can login using ssh(1).  The argument must
             be "yes", "without-password", "forced-commands-only" or
             "no".  The default is "no".  Note that if
             ChallengeResponseAuthentication is "yes", the root user may be
             allowed in with its password even if PermitRootLogin is set to
             "without-password".

Fedora

     PermitRootLogin
             Specifies whether root can log in using ssh(1).  The argument
             must be "yes", "without-password", "forced-commands-only", or
             "no".  The default is "yes".

OpenSSH

http://www.openssh.com/manual.html links to http://www.openbsd.org/cgi-bin/man.cgi?query=sshd_config:

     PermitRootLogin
             Specifies whether root can log in using ssh(1).  The argument
             must be "yes", "without-password", "forced-commands-only"
             or "no".  The default is "yes".

Best Practices

• Always set the root password to something hard. Sure, this will make it harder for you to hop on the console, but it beats getting hacked. If you have a valid local user and sudo is available, you can usually derive your console from that.
• Store your root password in an extremely secure location. Your head is a great default, but this has limited, faulty memory, that is not easily shared with your other admins. A GPG-encrypted file works well . . .
• Always audit a new system before putting it on the Internet. Especially if this is your first time with the OS. I was lazy because this was a non-production system, but doing an audit would have been a lot more convenient than cleaning this mess.
• Verify your assumptions. If you think that root should not be allowed to log in via SSH, then test and make sure that this is the case. Ditto with failover procedures . . . arrange to test them before you assume that you can complete a failover at 3AM.