Bug 22930 - root is allowed to login remotely
Summary: root is allowed to login remotely
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: openssh   
(Show other bugs)
Version: 7.1
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact:
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2000-12-28 07:28 UTC by Arenas Belon, Carlo Marcelo
Modified: 2008-05-01 15:37 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2000-12-28 15:34:51 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Arenas Belon, Carlo Marcelo 2000-12-28 07:28:18 UTC
remote login with the root account is usually not allowed, but
/etc/ssh/sshd_config has

  PermitRootLogin yes

allowing anyone to ssh -l root into any RedHat system from RH7 throught the
lates rawhide i am aware of (openssh-server-2.3.0p1-9)

this should be "no" on default or the corresponding pam configuration
should use pam_securetty.so so there is no un unexpected feature that
allows remote root login :( IMHO

Comment 1 Daniel Roesen 2000-12-28 09:47:26 UTC
Seconded. Remote root logins should be disabled by default.

Comment 2 Nalin Dahyabhai 2000-12-28 14:57:57 UTC
Remote root login is disabled by default as a security measure specifically
because of the hazards of password-sniffing.  Over a cryptographically-protected
channel, it's not necessary.

Comment 3 Daniel Roesen 2000-12-28 15:12:21 UTC
Disabling root logins also provides kinda audit trail. You see in the logs _who_
logged in (via su) as root. With direct root logins you don't.

Comment 4 Nalin Dahyabhai 2000-12-28 15:36:37 UTC
This is purely a configuration issue, and it's impossible to get it right for
everyone.  We're going to leave this set to the same default that the portable
OpenSSH team includes in theirs.

Comment 5 Christian Rose 2001-01-02 14:24:20 UTC
Thirded (?).

I would personally prefer a changed default (to "PermitRootLogin no").

Note You need to log in before you can comment on or make changes to this bug.