On 01/08/2015 08:42 AM, Paul Wouters wrote:
On Thu, 8 Jan 2015, Jaroslav Reznik wrote:
> == Detailed Description ==
> Sshd(8) daemon allows remote users to login as 'root' by default. This
> provides remote attackers an option to brute force their way into a
> system.
If you want to fight that, you need to set PasswordAuthentication no and
insist that people start using ssh keypairs instead.
Singling out root is not affective against system compromises caused by
brutce forcing passwords.
There's another aspect of this, namely
accountability. In realistic
environments usually several people have admin privileges and
password-based root access is hard to manage---e.g. you need to change
root password everywhere when the sysadmin team changes.
The defense against password attacks is to not permit password
authentication.
Disallowing root access will interfere with legitimate root logins, for
example automated backup logins, or remote administration tools like
puppet or ansible that require root access.
For the automation cases I like Chris
Adams' suggestion:
PermitRootLogin without-password