Opened 12 years ago
Closed 12 years ago
#22 closed (fixed)
ops.utah.geniracks.net allows remote password-based login
Reported by: | chaos@bbn.com | Owned by: | somebody |
---|---|---|---|
Priority: | major | Milestone: | IG-ADM-2 |
Component: | Administration | Version: | SPIRAL4 |
Keywords: | Cc: | ||
Dependencies: |
Description
Two prospective issues related to password-based login to ops.utah.geniracks.net:
- Remote password-based SSH login to my user account (chaos) succeeds. Is there a plan to protect against password-guessing attacks on user accounts, which can be shared with site admins?
- Since
/etc/ssh/sshd_config
contains:PermitRootLogin yes
I am concerned that password-based root login may in fact be permitted on ops. Is that the case? If so, could this setting be changed towithout-password
?
Note: See
TracTickets for help on using
tickets.
On Thursday, Leigh said:
And later followed up to say it was done.
I redid IG-ADM-2 step 2A, and indeed found that password-based login is disabled for all users.
BTW, Leigh, note that Emulab inserts
"PermitRootLogin yes"
on ops, so the file now contains:This isn't operationally relevant at all, though --- i only mentioned the possibility of configuring root separately in case passwords couldn't be disabled for all users. Since they can be (which sounds good to me), the root setting is harmless.