Find the answer to your Linux question:
Results 1 to 7 of 7
I'd like to disallow direct root login to the server. However he should be allowed to execute certain set of commands via ssh. I've done it using PermitRootLogin=forced-commands-only option. I ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2007
    Posts
    4

    OpenSSH - disallowing root login


    I'd like to disallow direct root login to the server.
    However he should be allowed to execute certain set of commands via ssh.
    I've done it using PermitRootLogin=forced-commands-only option.
    I solved the problem with remote commands execution with root privileges, but I don't know how to make scp working with this option
    I searched many forums, but I found, that there's no direct way to make scp working with PermitRootLogin=forced-commands-only.
    Do you have any ideas?

    Thanks
    Niko

  2. #2
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Are you willing to set up pubkey authentication for root? If so, in sshd_config set:
    • PermitRootLogin without-password
    • ChallengeResponseAuthentication no


    That will stop password authentication for root, and it should enable interactive session and scp commands using the pubkey authentication.

    Don't forget to restart / reload sshd after making the changes.

  3. #3
    Just Joined!
    Join Date
    Jan 2007
    Posts
    4
    Yes, root login should be allowed using pubkey authentication.

    But using settings you suggested, my problem has been solved (scp works fine), but root can login without password (simply: ssh root@hostname) from any account, which is highly dangerous.

    When I set:

    • PermitRootLogin yes


    scp also works and root can't login without password.
    But the problem is, that I have to disallow direct root logins to the remote machine.

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    but root can login without password (simply: ssh root@hostname) from any account, which is highly dangerous.
    I agree - that sounds dangerous. But that's not what I was suggesting that you do. The private key should be only in root's home directory. Then only he can log in using his key pair.

  6. #5
    Just Joined!
    Join Date
    Jan 2007
    Posts
    4
    The problem is, that in authorized_keys file there're many public keys as many users can login using pubkey authentication.

    What I observed was quite strange.
    I set:
    • PermitRootLogin without-password


    Then did su to non-privileged user (nico), which was allowed to login to the remote host via ssh+pubkey and then typed:
    Code:
    #ssh root@remotehost
    And after that I logged to the remote host as root. The private key used to login was taken from the nico's home directory, but I don't know why ssh allows to login as a root from any account.

    Anyway I solved my problem in different way.
    I set:
    • PermitRootLogin yes


    but additionally specified the list of user@host (AllowUsers), which can login as a root. The problem was, that I wanted to dissallow root login from the outside of the internal network and this configuration does the work.

    Thanks for help.

  7. #6
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    The PermitRootLogin without-password directive does not work that way. All it does is disable password authentication for root. (It does not enable non-privileged users to login as root remotely.)

    The command line snippet you posted contains a #, which is a root shell.

    I'm not exactly sure why you were seeing the behavior you were; it doesn't make sense. Let me know if you want to pursue it further.

  8. #7
    Just Joined!
    Join Date
    Jan 2007
    Posts
    4
    This # was just an indicator of a shell prompt, I didn't want to insert whole prompt. Now I see I should have put e.g. $, # might be a little confusing.

    The behaviour I observed was really strange for me, but I didn't have enought time to analyze why it happened.
    Anyway I needed to find any solution as quick as possible (as usual ) and the one I found works fine.
    Probably solution with PermitRootLogin without-password directive would be better, I'll try to test it.

    Thanks again for your suggestions.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •