[BlueOnyx:17149] Re: Two small 5208R bugs - fixed

Michael Stauber mstauber at blueonyx.it
Thu Feb 26 23:05:59 -05 2015 

Hi Dan,

> This however reduces security from our old 5108R boxes!

I'm not worried about 5108R. Nothing was changed there. This patch is
for 5207R, 5208R and 5209R.

> We cannot turn off Password Authentication as users login via SSH.

You do have shell users that login via SSH? Most people prefer to not
grant anyone shell access. For security reasons as we don't chroot shell
users.

> We don't want *anyone* logging in as root with a (80 bit) password
> This is exactly what "PermitRootLogin without-password" allows us to do.

<sigh> And there goes the appliance approach right out of the window.
You DO know that the way it is NOW is the way that it has been for
years. And this never was an issue. The only problem is/was that the
recent updates made the settings flip back to default on CCEd restarts.

So lets say I support all options that "PermitRootLogin" allows. That
would be these:

PermitRootLogin:
- Yes
- No
- without-password
- forced-commands-only

The helptext for that would fill the entire screen. Because thanks to
the *really* stupid naming convention you'll have to explain that
"without-password" means: "Password authentication is disabled for root,
but key based logins as root still work".

And for "forced-commands-only": root login with public key
authentication will be allowed, but only if the command option has been
specified. Which may be useful for taking remote backups even if root
login is normally not allowed. All other authentication methods are
disabled for root.

Like said: In my eyes this is a departure from the appliance approach.
You shouldn't have users with shell access for security reasons. And
then you could simply use SSH keys like everyone else and be done with
it and get a tightly locked down SSH.

> Please correct me if I have misunderstood but currently under 5208R we 
> now have to chose between having the root account open (albeit hopefully 
> with a strong password) or locking down *all* accounts to use public key?

Or you could simply set "PermitRootLogin" to "No", SSH in as "admin" and
"su -" to gain root access. That's how it has always been and that is
what the default after a fresh install is.

So let's do this. In the near future (next couple of days, maybe a week
or two) I'll add "without-password" and "forced-commands-only" as
allowed options to PermitRootLogin. Even if I think that it's unwise, as
it might encourage people to enable shell for non-root users.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list