Bug 22930 - root is allowed to login remotely
root is allowed to login remotely
Product: Red Hat Linux
Classification: Retired
Component: openssh (Show other bugs)
All Linux
high Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
: Security
Depends On:
  Show dependency treegraph
Reported: 2000-12-28 02:28 EST by Arenas Belon, Carlo Marcelo
Modified: 2008-05-01 11:37 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2000-12-28 10:34:51 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Arenas Belon, Carlo Marcelo 2000-12-28 02:28:18 EST
remote login with the root account is usually not allowed, but
/etc/ssh/sshd_config has

  PermitRootLogin yes

allowing anyone to ssh -l root into any RedHat system from RH7 throught the
lates rawhide i am aware of (openssh-server-2.3.0p1-9)

this should be "no" on default or the corresponding pam configuration
should use pam_securetty.so so there is no un unexpected feature that
allows remote root login :( IMHO
Comment 1 Daniel Roesen 2000-12-28 04:47:26 EST
Seconded. Remote root logins should be disabled by default.
Comment 2 Nalin Dahyabhai 2000-12-28 09:57:57 EST
Remote root login is disabled by default as a security measure specifically
because of the hazards of password-sniffing.  Over a cryptographically-protected
channel, it's not necessary.
Comment 3 Daniel Roesen 2000-12-28 10:12:21 EST
Disabling root logins also provides kinda audit trail. You see in the logs _who_
logged in (via su) as root. With direct root logins you don't.
Comment 4 Nalin Dahyabhai 2000-12-28 10:36:37 EST
This is purely a configuration issue, and it's impossible to get it right for
everyone.  We're going to leave this set to the same default that the portable
OpenSSH team includes in theirs.
Comment 5 Christian Rose 2001-01-02 09:24:20 EST
Thirded (?).

I would personally prefer a changed default (to "PermitRootLogin no").

Note You need to log in before you can comment on or make changes to this bug.