Prohibit Password login as root via SSH


Recommended Posts

/etc/ssh/sshd_config

Contains a line that reads:

PermitRootLogin yes

And also a commented out line that reads:

#PermitRootLogin prohibit-password

 

The official manual at https://www.openssh.com/manual.html links to https://man.openbsd.org/sshd_config and the section relevant to this request is https://man.openbsd.org/sshd_config#PermitRootLogin where it is documented that prohibit-password is the default behavior.

 

The sshd_config file currently shipped defines PermitRootLogin as yes. Allowing password login as root can be viewed as convenient for users, but requiring the use of SSH keys to login as root should be considered a significant security improvement.

 

The unRAID web GUI has a very easy and convenient way to add and manage authorized_keys for the root user, and it can also be accomplished by editing:

/boot/config/ssh/root/authorized_keys

It would also be a nice touch to include some kind of an informational link in the web GUI next to the "SSH authorized keys" setting when editing the root user (maybe in the tips shown when enabling the Help information) that informs the user how to generate SSH keys. It probably makes the most sense for this to be documented somewhere like https://wiki.unraid.net/Terminal_Access#SSH (just include information about using ssh-keygen similar to https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent and information about adding the key to the root user) and use that as the link in the GUI, possibly include the information directly in the GUI help tips.

 

Some extra information just to be clear about why I'm opening this request:

 

Making the above modification (specifically just remove the "PermitRootLogin yes" line from /etc/ssh/sshd_config and the behaviour will fall back to "PermitRootLogin prohibit-password") does not disable logging into SSH as root, it just requires using an SSH key to login as root and (as the default value implies) prohibits using a password when logging into SSH as root.

 

I am aware that I can create my own file at:

/boot/config/ssh/sshd_config

Either by writing it from scratch or copying from /etc/ssh/sshd_config and modifying what I need. This is noted at https://wiki.unraid.net/Manual/Release_Notes/Unraid_OS_6.9.0#SSH_Improvements but I feel this change would be a valid improvement to default SSH security provided by unRAID. Users can opt to use /boot/config/ssh/sshd_config as a way to re-enable logging in as root with a password.

 

I have tested the modification by copying /etc/ssh/sshd_config to /boot/config/ssh/sshd_config and removing the "PermitRootLogin yes" line and running "/etc/rc.d/rc.sshd restart" and then confirming I am unable to login to SSH as root using a password but still able to login to SSH as root using a key.

 

Edit: I would also be interested in discussing additional security enhancements to the default SSH configuration, and I will cite https://infosec.mozilla.org/guidelines/openssh (up to date as of 2022).

Edited by iXNyNe
  • Like 3
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.