The How-To Geek Forums Have Migrated to Discourse

How-To Geek Forums / Linux

In response to: Security Tip: Disable Root SSH Logins on Linux

(1 post)
  • Started 3 years ago by xsamurai
  • Topic Viewed 1034 times


Recommended: Clean Your Mac the Easy Way with CleanMyMac 3

If you want to clean up your Mac the easy way, CleanMyMac is a great tool to get the job done easily, and it will even keep your computer clean automatically.

Unlike the competition, it also includes great tools like a Clean Uninstaller, to get rid of applications and clean up the junk that they leave behind. All with the click of a button.

Download CleanMyMac 3 for Free Today

Posted yesterday 
Posts: 1

In response to Security Tip: Disable Root SSH Logins on Linux

There was an option that wasn't covered for allowing direct root logins via ssh for linux. And that's with sshd and pam.d. It's really a simple solution if you need to allow direct root logins from a server, subnet, domain, IPv4/v6 etc.

Without getting into the specifics of PAM what you want to do is add the following line to /etc/security/access.conf
- : root : ALL EXCEPT <space delimited server list here>

and add this line: account require to your /etc/pam.d/sshd file.
NOTE: You may not have to add this line to /etc/pam.d/sshd if sshd requires system-auth and is referenced there.

Now you've effectivly limited where the root user can login from. Of course, disabling direct root altogether is a better and more secure option, if you have a bunch of legacy scripts (like I do) that gather information from servers, or do things like account modification for 100's of Linux servers, and rewriting all of those legacy scripts to login and use a PRIV facility like su or sudo would cost countless amounts of man hours. Just the thought of pouring over 10's of thousands of lines of non portable code that came from HP-UX or AS400 makes me want to be thrown into a bathtub with a family of rabbid racoons.

Just my two cents,

Posted 3 years ago

Topic Closed

This topic has been closed to new replies.