PDA

View Full Version : Clarification - ssh root login

OldSalt
06-24-04, 08:37
We recently did a test install of H-Sphere 2.4 on a FreeBSD 4.9 box and were puzzled by the requirement for root login in ssh.

I understand that specifying "PermitRootLogin without-password" tightens up security a bit by requiring a shared key and that the firewall can limit ssh access to the box, but why is root login required at all? Is there a reason why H-Sphere cannot login as an unpriviledged user and su to root?

Also I read in one of the security threads (http://www.forum.psoft.net/showthread.php?t=7132) that one should Disable Remote Root Login which seems to contradict the root login via ssh requirement.

Can anyone clarify this for me?

Thanks.
ladylinux
06-24-04, 12:33
We recently did a test install of H-Sphere 2.4 on a FreeBSD 4.9 box and were puzzled by the requirement for root login in ssh. I understand that specifying "PermitRootLogin without-password" tightens up security a bit by requiring a shared key and that the firewall can limit ssh access to the box, but why is root login required at all? Is there a reason why H-Sphere cannot login as an unpriviledged user and su to root?


The cpanel (only on the control panel) user which has the shared key will need to ssh without password as root .. There there are shared keys on each box that match up to the cp id_dsa.pub key ... ~cpanel/.ssh

These keys are copied on each satellite box in /root/.ssh as authorized_keys2 .. (Type 2)

Now this is a way to tighten security furter ... but if you set ssh to type 2 on all boxes.. you can loose the identity.pub "Type One" key on all external boxes .. "authorized_keys"

Now to the heart of the issue ..

1. cpanel .. (The User with password less root ssh) has no shell external login ability .. It only exists on the control panel ..

2. There is not stopping you from creating lets say an admin user who can then su to root .. for daily shell admin type tasks .. on each box .. particurally the control panel ..

3. Grant group wheel access to that user (and cpanel) and make sure stuff like su is group set to wheel ..

http://www.dynamicnet.net/customer/h-sphere/security/disable_direct_root_login.htm

Will give you a start ..

Lady Linux :)