Is allowing root login in SSH with "PermitRootLogin without-password" a secure method while setting up IP.
I have set my live IP in /etc/hosts.allow, and have denied all other hosts. I have also set PermitRootLogin without-password in /etc/ssh/sshd_config.
Do you think its a secure method? Can an cyber attacker crack my key and login to my server? If yes, then how is it possible?
This is a common misunderstanding for the PermitRootLogin feature. The without-password option does not mean there is no authentication and any unauthorized person can get in without a password. All this option means is that logging in is only possible using a fallback method, such as public key authentication. Even if an attacker knows your root password, they will not be able to log in unless they have your private key.
It is actually better to use without-password if you need to log in as root, since it ensures that the root account cannot be brute forced. If you were to log in as root with a password, it could be subject to being remotely attacked, whereas public key authentication ensures you can only log in with the proper credential files. This is better than logging in as a different user and using su to elevate to root, as a compromise of that other user would result in a compromised root, since the user can monitor any keystrokes entered into its shell. This is explained in detail in the answer to Which is the safest way to get root privileges: sudo, su or login?.If you do not need to have root, then using another, dedicated user would be fine. In this case, setting PermitRootLogin no would be beneficial, as there is no reason to have root access if not required.Permit root login
Use this group policy to specify whether and how root can log in using ssh. When you enable the policy, select one of the following options from the drop-down list:
- yes — Allow root to log in using ssh.
- without password — Disable password authentication for root. It is still possible for root to log in using another form of password authentication, such as keyboard-interactive PAM.
- forced commands only — Allow root log in with public-key authentication, but only if the command option has been enabled. All other authentication methods are disabled for root.
- no — Do not allow root to log in through ssh.
This group policy modifies the PermitRootLogin setting in the /etc/centrifydc/ssh/sshd_config file.
Answer (1)
Allowing root login via SSH with "PermitRootLogin without-password" can be considered more secure than permitting password-based root logins, but it is not without risks. This setting allows root login only with SSH keys, which can enhance security compared to using passwords. However, there are still some best practices and potential security considerations to keep in mind:
Explanation of "PermitRootLogin without-password"
"without-password": This option allows root login only with SSH keys. Password-based authentication for the root user is disabled, which helps prevent brute-force attacks on root passwords.
Security Advantages
Stronger Authentication: SSH keys are generally considered more secure than passwords because they are harder to brute-force and are not susceptible to common password attacks.
No Password Transmission: Since passwords are not used, there is no risk of them being intercepted during transmission.
Ease of Management: SSH keys can be centrally managed, allowing for easier control over who can access the root account.
Potential Risks and Considerations
Compromised Keys: If an SSH key is compromised, it can be used to gain root access. Therefore, protecting your private keys and using passphrases is crucial.
Physical Security: Ensure the machines from which you connect are secure. If an attacker gains access to your local machine, they could potentially use your SSH key to access the server.
Audit and Monitoring: Monitor and log root access attempts to detect any unauthorized access attempts.
Disable Root Login: For an added layer of security, consider disabling root login altogether and using sudo for administrative tasks. This way, even if a user’s SSH key is compromised, the attacker still needs to escalate privileges to perform administrative tasks.
Best Practices
Use Strong SSH Keys: Ensure you use a strong key type (e.g., RSA 4096-bit or ECDSA 256-bit) and protect private keys with a passphrase.
Limit IP Access: Restrict SSH access to the server to a specific IP range or use a VPN.
Enable Two-Factor Authentication (2FA): Implement 2FA for an added layer of security.
Regular Key Rotation: Periodically rotate SSH keys to limit the risk of key compromise.
Disable Root Login: If possible, disable root login and use a non-root user with sudo for administrative tasks:
PermitRootLogin noFirewall Configuration: Ensure your firewall is configured to allow SSH access only from trusted IP addresses.
Configuration Example
To allow root login with SSH keys only, you need to set the following in your /etc/ssh/sshd_config file:
PermitRootLogin without-passwordAfter making changes to the SSH configuration file, restart the SSH service:
sudo systemctl restart sshdConclusion
While "PermitRootLogin without-password" enhances security compared to allowing password-based root logins, it’s important to implement additional security measures. Using SSH keys, restricting access, monitoring, and considering the complete disabling of root logins in favor of sudo are all practices that can help protect your system.