Bug 66488

Summary:	By default sshd allows root login from anyone
Product:	Gentoo Linux	Reporter:	Philippe Trottier (RETIRED) <tchiwam>
Component:	Current packages	Assignee:	Gentoo Security <security>
Status:	RESOLVED DUPLICATE
Severity:	major
Priority:	High
Version:	2004.2
Hardware:	All
OS:	All
Whiteboard:
Package list:		Runtime testing required:	---

Description Philippe Trottier (RETIRED) gentoo-dev

2004-10-05 23:03:19 UTC

/etc/ssh/sshd_config:

#PermitRootLogin yes


To reproduce:

Install a system from stage1
emerge system
emerge kernel
emerge bootloader
...

rc-update add sshd default

reboot

from another machine, ssh root@newgentoomachine
type password

voil

Comment 1 Philippe Trottier (RETIRED) gentoo-dev

2004-10-05 23:03:19 UTC

/etc/ssh/sshd_config:

#PermitRootLogin yes


To reproduce:

Install a system from stage1
emerge system
emerge kernel
emerge bootloader
...

rc-update add sshd default

reboot

from another machine, ssh root@newgentoomachine
type password

voilà...

Should not let you in... root dictionay attack are more interesting than normal users ...

Comment 2 Rajiv Aaron Manglani (RETIRED) gentoo-dev

2004-11-21 19:02:09 UTC

from man sshd_config:

    PermitRootLogin
             Specifies whether root can login using ssh(1).  The argument must be ``yes'',
             ``without-password'', ``forced-commands-only'' or ``no''.  The default is ``yes''.

so you have to explicitly set it to 'no'.

see also bug 51523 and bug 41215.

Comment 3 SpanKY gentoo-dev

2004-11-21 19:19:01 UTC


*** This bug has been marked as a duplicate of 41215 ***