Opened 12 years ago
Closed 12 years ago
#18 closed (fixed)
boss.utah.geniracks.net appears to allow remote password-based login as root
Reported by: | chaos@bbn.com | Owned by: | somebody |
---|---|---|---|
Priority: | major | Milestone: | IG-ADM-2 |
Component: | Administration | Version: | SPIRAL4 |
Keywords: | Cc: | ||
Dependencies: |
Description
On boss.utah.geniracks.net, i see:
- Per
/etc/master.passwd
, root's password is not locked - Per
/etc/ssh/sshd_config
, root is permitted to do password-based remote login
For machines which have public IPs, remote users (particularly root) should be restricted to login via public keys, to reduce the risk from SSH password-guessing attacks.
Change History (2)
comment:1 Changed 12 years ago by
comment:2 Changed 12 years ago by
Resolution: | → fixed |
---|---|
Status: | new → closed |
Leigh says:
Hi. I confirmed that password authentication is turned off all users. PermitRootLogin is still turned on, but it requires a key.
Good enough, closing this. Thanks, Leigh.
Note: See
TracTickets for help on using
tickets.
Huh, actually, i may be wrong about this: excerpting from
/etc/ssh/sshd_config
:Does that mean password authentication is globally disabled (including for root)? I'm not sure, and, lacking the root password, can't test it out. Would someone mind taking a look, and let us know if this is good as-is, or needs to be locked down more?