I promised myself I wouldn’t do this. This newsletter/blog is about SAP on Linux, and I didn’t want to get off on tangents.
Sometimes, however, I find something that I believe is too important.
It IS 2020, Right?
As I mentioned in A Brief History of Time, I first explored a UNIX environment in the late 80s, and actually started working with UNIXes in the early 90s. Ah, those were the days; none on this World-Wide Web, we had FTP! Give me vi, we said, or give me death! Social media? Pfui! We had Usenet!
And telnet! How could I forget logging in, as root, via telnet?
Everyone still does that, right?
Sure, it’s been almost 21 years since OpenSSH was released, but why are we worrying so much, really?
I Wish I Was Joking
I thought the notion that remote root login was a good idea had died a well-deserved death at least 20 years ago. Apparently…not.
Just recently, I found TWO online postings (OK, one is from 2005, but the other is from late last year) advancing the idea it’s OK to login remotely as root, one on LiquidWeb and then this other one (look at Item #7).
The latter says, in part:
Saying “don’t login as root” is h******t. It stems from the days when people sniffed the first packets of sessions so logging in as yourself and su-ing decreased the chance an attacker would see the root pw, and decreast the chance you got spoofed as to your telnet host target, You’d get your password spoofed but not root’s pw. Gimme a break. this is 2005 – We have ssh, used properly it’s secure. used improperly none of this 1989 will make a damn bit of difference.
Really? Those are the only concerns? That’s all we have to worry about? Hmmmm… maybe we should get rid of all this SSL stuff, too.
Remote root is Bad - No, Really, It Is BAD
If you search on terms like ssh server root login, you’ll find all sorts of results, from OS vendor documentation to blog postings to CVEs to “hardening guides” to substack newsletters. The vast majority of these sources will advise that remote root should be disabled.
Granted, many of them will simply advise setting PermitRootLogin no, and ignore the differences between that and using {Allow,Deny}{Groups,Users}, but still, pretty much all of them advise avoiding remote root access. It perplexes me that anyone would suggest otherwise.
And no, just because the SSH server is “used properly”, not all security concerns are addressed. If everyone and their dog logs in as root, there is no accountability/auditability. Was it Fred who, logged in as root, deleted that critical configuration file? Or was it Sally, also logged in as root, who did it? Or maybe it was Jim’s dog rebooting that production database in the middle of the day.
At least if Fred, Sally and Jim’s dog log in as themselves and escalate privilege, there are some mechanisms by which users can be held to account for their actions. I’m not going to get into explanations, discussions or arguments about the mechanisms - all of those conversations have been held, repeatedly, elsewhere.
Yes, You DO Want to DISABLE root Login
And when you do it, PermitRootLogin no is just the start. In addition, you want DenyUsers root. This isn’t a security newsletter, so I’m not going to bore you with the details.