6

How do I disable remote root login via ssh?

I want to log into my server (I use keys on my main comp) then su into root instead of access root directly.

I am using Debian. I follow guides online which say add PermitRootLogin no to the file and another mention Protocol 2. Then reset ssh. /etc/init.d/ssh restart. I did this and it did not work. I was able to log into root using putty.

How do I disable remote root login on Debian?

tshepang
  • 64,472
  • 86
  • 223
  • 290
  • While you're at it, by the way, I suggest setting `PasswordAuthentication no` and `ChallengeResponseAuthentication no`, so that keys are _required_. – mattdm Mar 09 '11 at 00:35
  • And you can also set `AllowUsers acidzombie`, so that only that account can log in. – mattdm Mar 09 '11 at 00:39
  • @mattdm: Why require keys? I rather not have keys as if someone grabs my computer or somehow gets access to my private keys he could log in. I just have keys going into my account (which really is the same password as root but i type less) then su into it –  Mar 09 '11 at 00:51
  • 1
    @acidzombie24: Keys because passwords can get brute forced, or stolen should the machine get compromised. Set a passphrase on your key, which will allow you time to change the authorized_keys if it's stolen. – mattdm Mar 09 '11 at 01:08
  • @mattd: Isnt that redundant? Putting a password on my private keys instead of using that same password to log into my server? I rather use a password on server in case i am using someone elses machine. –  Mar 09 '11 at 01:12
  • @acidzombie24: that's definitely more convenient, but how do you know their terribly-maintained windows system doesn't have a botnet with a keylogger looking for ssh passwords? Passphrases are not redundant because they don't ever leave _your_ system. And you can use `ssh-agent` to make them more convenient (ideally with that cleared on screen lock or after a duration). – mattdm Mar 09 '11 at 01:15
  • @mattdm: Why dont you change your comment to an answer so ppl can upvote them. Good point but then how do i login to my server on a terribly-maintained comp with a keylogger? I looked up ssh-agent and i am unsure how it will be useful. As a note i use winscp, putty and store my passwords unprotected and use putty to log me into certain accounts. One account is my backup user which only has permissions for one directory which is where a cron job copies backups to. (i have windows task run a local script using winscp to retrieve it) –  Mar 09 '11 at 01:26
  • @mattdm: Even though i accepted an answer i am still interested in how you would set this up. So right now i use unprotected prv keys to acidzombie which has same password as root. Then loginto root using su and said password. I win putty and winscp. I would like to know what you suggest with your key technique and on logging in when using a machine with a keylogger/other ppls comp –  Mar 09 '11 at 01:54
  • Simple: I avoid logging on to my machine from other people's computers. If I don't have my laptop, I use my phone. But this is all really a separate question. Another approach would be to use one-time codes or a software/hardware token. – mattdm Mar 09 '11 at 01:59
  • @mattdm: I was thinking about another question. Alright, ETA is <20mins from now. How would you ever log in via your phone? or create the one time codes? –  Mar 09 '11 at 02:08

2 Answers2

9

I'm going to take a guess on this one, but I'm pretty confident.

I bet there's a PermitRootLogin yes line already in your file. SSH will only use the first line it finds, and will ignore a duplicate further down. So if you just added PermitRootLogin no to the end of the file without removing the line above, there will be no effect.

mattdm
  • 39,535
  • 18
  • 99
  • 133
  • +1 but wrong. After i did a search and found only that one line, i moved it to the very top of the file. Saved, restart ssh and tried logging in. It still allowed me :( –  Mar 09 '11 at 00:50
  • 2
    @acidzombie24: Well, that's curious. Anything interesting logged? Just to be double-sure ("Is your computer plugged in?"), you're editing sshd_config, not ssh_config, right? – mattdm Mar 09 '11 at 01:09
  • 1
    That was it, sshd_config. I didnt see it nor realize that the sites said to modify ssh**d**. It didnt help when it said fine the lines with XYZ when the said lines are also in ssh_config. Problem solved. –  Mar 09 '11 at 01:35
2

One of the peculiarities of ssh is that PAM-based authentication can't be fully controlled by it directly. You should check the PAM stack /etc/pam.d/sshd; I would add pam_access to the auth section (see pam_access(8) and access.conf(5) manual pages).

That said, PermitRootLogin No should work regardless. (PermitRootLogin without-password is the screw case.)

geekosaur
  • 31,429
  • 5
  • 79
  • 58
  • 1
    (And FWIW, `ChallengeResponseAuthentication no` is the solution to that "screw case".) – mattdm Mar 09 '11 at 01:13
  • Usually, but not always. You may want to use PAM auth for S/Key / Opie (which at least some security regimes don't consider a "password"), SecurID, or other authentication mechanisms that `ssh` can't use directly. – geekosaur Mar 09 '11 at 01:47