Is allowing root login in SSH with "PermitRootLogin without-password" a secure method while setting up IP.

5.4K    Asked by CamelliaKleiber in SQL Server , Asked on Oct 11, 2021

I have set my live IP in /etc/hosts.allow, and have denied all other hosts. I have also set PermitRootLogin without-password in /etc/ssh/sshd_config.

Do you think its a secure method? Can an cyber attacker crack my key and login to my server? If yes, then how is it possible? 

Answered by Anil Jha

This is a common misunderstanding for the PermitRootLogin feature. The without-password option does not mean there is no authentication and any unauthorized person can get in without a password. All this option means is that logging in is only possible using a fallback method, such as public key authentication. Even if an attacker knows your root password, they will not be able to log in unless they have your private key.

It is actually better to use without-password if you need to log in as root, since it ensures that the root account cannot be brute forced. If you were to log in as root with a password, it could be subject to being remotely attacked, whereas public key authentication ensures you can only log in with the proper credential files. This is better than logging in as a different user and using su to elevate to root, as a compromise of that other user would result in a compromised root, since the user can monitor any keystrokes entered into its shell. This is explained in detail in the answer to Which is the safest way to get root privileges: sudo, su or login?.If you do not need to have root, then using another, dedicated user would be fine. In this case, setting  PermitRootLogin no would be beneficial, as there is no reason to have root access if not required.Permit root login


Use this group policy to specify whether and how root can log in using ssh. When you enable the policy, select one of the following options from the drop-down list:

  • yes — Allow root to log in using ssh.
  • without password — Disable password authentication for root. It is still possible for root to log in using another form of password authentication, such as keyboard-interactive PAM.
  • forced commands only — Allow root log in with public-key authentication, but only if the command option has been enabled. All other authentication methods are disabled for root.
  • no — Do not allow root to log in through ssh.

This group policy modifies the PermitRootLogin setting in the /etc/centrifydc/ssh/sshd_config file.



Your Answer

Online Course

Tutorials

Salesforce Tutorial

Software Testing Tutorial

SQL Tutorial

Business Analyst Tutorial

Devops Tutorial

Data Science Tutorial

AWS Tutorial

Hadoop Tutorial

SSRS Tutorial

AWS S3 Tutorial

Functional Testing Tutorial

SSAS Tutorial

Automation Testing Tutorial

Manual Testing Tutorial

Selenium Tutorial

Kubernetes Tutorial

Scala Tutorial

ETL Testing Tutorial

Python Tutorial

Pyspark Tutorial

R Tutorial

Unit Testing Tutorial

API Testing Tutorial

Puppet Tutorial

Integration Testing Tutorial

Chef Tutorial

Jenkins Tutorial

Ansible Tutorial

Vagrant Tutorial

Docker Tutorial

Interviews

Parent Categories

Copyright | JanBaskTraining.com