Opened 7 years ago

Closed 7 years ago

#22 closed (fixed)

ops.utah.geniracks.net allows remote password-based login

Reported by: chaos@bbn.com Owned by: somebody
Priority: major Milestone: IG-ADM-2
Component: Administration Version: SPIRAL4
Keywords: Cc:
Dependencies:

Description

Two prospective issues related to password-based login to ops.utah.geniracks.net:

  1. Remote password-based SSH login to my user account (chaos) succeeds. Is there a plan to protect against password-guessing attacks on user accounts, which can be shared with site admins?
  2. Since /etc/ssh/sshd_config contains:
    PermitRootLogin yes
    
    I am concerned that password-based root login may in fact be permitted on ops. Is that the case? If so, could this setting be changed to without-password?

Change History (1)

comment:1 Changed 7 years ago by chaos@bbn.com

Resolution: fixed
Status: newclosed

On Thursday, Leigh said:

> 1. Remote password-based SSH login to my user account (chaos) succeeds.
>  Is there a plan to protect against password-guessing attacks on user
>  accounts, which can be shared with site admins?

Finally got this straightened out ... when you are done today I will fix up
the sshd config file on boss and ops and restart sshd.          

And later followed up to say it was done.

I redid IG-ADM-2 step 2A, and indeed found that password-based login is disabled for all users.

BTW, Leigh, note that Emulab inserts "PermitRootLogin yes" on ops, so the file now contains:

$ grep "^PermitRootLogin" /etc/ssh/sshd_config
PermitRootLogin without-password
PermitRootLogin yes

This isn't operationally relevant at all, though --- i only mentioned the possibility of configuring root separately in case passwords couldn't be disabled for all users. Since they can be (which sounds good to me), the root setting is harmless.

Note: See TracTickets for help on using tickets.