Opened 7 years ago

Closed 7 years ago

#18 closed (fixed)

boss.utah.geniracks.net appears to allow remote password-based login as root

Reported by: chaos@bbn.com Owned by: somebody
Priority: major Milestone: IG-ADM-2
Component: Administration Version: SPIRAL4
Keywords: Cc:
Dependencies:

Description

On boss.utah.geniracks.net, i see:

  • Per /etc/master.passwd, root's password is not locked
  • Per /etc/ssh/sshd_config, root is permitted to do password-based remote login

For machines which have public IPs, remote users (particularly root) should be restricted to login via public keys, to reduce the risk from SSH password-guessing attacks.

Change History (2)

comment:1 Changed 7 years ago by chaos@bbn.com

Huh, actually, i may be wrong about this: excerpting from /etc/ssh/sshd_config:

PermitRootLogin yes
...
# Change to yes to enable built-in password authentication.
#PasswordAuthentication no

Does that mean password authentication is globally disabled (including for root)? I'm not sure, and, lacking the root password, can't test it out. Would someone mind taking a look, and let us know if this is good as-is, or needs to be locked down more?

comment:2 Changed 7 years ago by chaos@bbn.com

Resolution: fixed
Status: newclosed

Leigh says:

Hi. I confirmed that password authentication is turned off all users.           
PermitRootLogin is still turned on, but it requires a key.

Good enough, closing this. Thanks, Leigh.

Note: See TracTickets for help on using tickets.