On 01/08/2015 08:42 AM, Paul Wouters
wrote:
On Thu, 8 Jan 2015, Jaroslav Reznik wrote:
== Detailed Description ==
Sshd(8) daemon allows remote users to login as 'root' by
default. This
provides remote attackers an option to brute force their way
into a system.
If you want to fight that, you need to set PasswordAuthentication
no and
insist that people start using ssh keypairs instead.
Singling out root is not affective against system compromises
caused by
brutce forcing passwords.
There's another aspect of this, namely accountability. In realistic
environments usually several people have admin privileges and
password-based root access is hard to manage---e.g. you need to
change root password everywhere when the sysadmin team changes.
The defense against password attacks is to not permit
password authentication.
Disallowing root access will interfere with legitimate root
logins, for
example automated backup logins, or remote administration tools
like
puppet or ansible that require root access.
For the automation cases I like Chris Adams' suggestion:
PermitRootLogin without-password