Ridding myself of root passwords?

S. Dale Morrey sdalemorrey at gmail.com
Thu Feb 6 09:30:44 MST 2014


Well oddly enough today I had a server hacked.  There was a priviledge
escalation flaw in the only exposed daemon (probably a 0 day of somesort
I've reported it to the devs).

Someone managed to get root, remove the cert, set a password and login via
ssh and then set the box up as a spam relay of all things.
I think from now on, I'm going to see if there is a way to just completely
remove the root user.  (Box is fully patched and auto-updates and applies
patches daily).

I would like to setup a central auth server (probably LDAP) that auths me
as an individual to these servers.  Then remove root completely.  Is that
even possible?
I guess in reality it would be no different than just renaming root to a
different name, but frankly cleaning up the damage from this script kiddy
is annoying me.

Having an auth server be authoritative for a box, and then have permissions
and groups set by the box seems like a decent solution, but then I ask
myself, what happens when the authbox gets cracked?




On Thu, Feb 6, 2014 at 9:23 AM, Michael Torrie <torriem at gmail.com> wrote:

> On 02/06/2014 04:02 AM, Dan Egli wrote:
> > Interesting, and I could certainly see that in a /root/.sshd/config file,
> > but in the master file? That indicates that unless you have the
> > certificate, NO ONE can login via SSH. That seems overkill to me.
>
> Well, if you're a site like github, hosting git repos over ssh, it's
> probably a very wise prudent thing to do.  Requiring all your users to
> access via key is the only safe thing to do, really.  Of course in my
> situation, and github's, there is a method for securely installing keys.
>  In my case I can get in via a secure web-based terminal that Linode
> provides and add my key. In github's case you use their web interface to
> load the key.
>
> > Perhaps
> > that works good in your situation, but I certainly can't see a situation
> > where I'd want to do that. In root's config, sure. That makes a LOT of
> > sense. But not for every user on the system. I suppose you could override
> > the global behavior by an individual user's .sshd/config file, but that
> > still seems like overkill to me.
>
> You can easily do what you say with the global file. That's what the
> "PermitRootLogin without-password" option is for.
>
> > Perhaps you can explain why you block
> > logins except via ssh key or certificate to all users? I'd be curious to
> > understand the reasoning behind this approach.
>
> Frankly it's the only way to secure an ssh server from brute-force
> attacks.  Actually it stops brute force attacks at the door, since the
> don't offer any keys upon connecting, so they get disconnected before
> they can even offer a password to try.
>
> Plus ssh keys are just way more secure than passwords, that we all know
> are not well-chosen by end users.  And they aren't that hard to use.
>
> /*
> PLUG: http://plug.org, #utah on irc.freenode.net
> Unsubscribe: http://plug.org/mailman/options/plug
> Don't fear the penguin.
> */
>


More information about the PLUG mailing list