psmod2
By:
psmod2

Root Access With SSH - PermitRootLogin or PasswordAuthentication

January 20, 2017 640 views
Security

Hi,

I just did a one click install of MongoDB. I'm SSH into the machine and its all ok.

Now, I want to disable password to the machine to prevent brute force, however two different articles are stating two different things to achieve this:

Is it:

PasswordAuthentication no 

OR

PermitRootLogin without-password

The later, I can't actually see this in my /etc/ssh/sshd_config file.

Also by doing this I presume if I access the console via the Digital Ocean page, I can still use the password to login?

If not, then what would happen the certs on my machine went missing?

Thanks.

3 Answers
jtittle January 21, 2017
Accepted Answer

@Woet

From a security standpoint, disabling root login and creating a sudo user is recommended -- it's what many would refer to as a best practice. Please don't say it's not important as that's a misconception. When a sudo user is perfectly capable of handling root level commands and, unlike root, is not a well known and highly targeted user, there's no excuse to allow root logins.

@psmod2

When it comes to security and preventing potential attacks, it's best to simply create a sudo user and disable root login. The root user is well-known and will be the first one targeted by an attacker. When it comes to automated attacks, when root login is disabled, the login attempts will simply fail.

If you want to take things one step further, I would recommend that your sudo user not be a common user that is given ownership over any specific directories or files. When it comes to ownership of web-facing files and directories, you should create a user that has standard limited permissions.

  • I'm not a fan of security through obscurity, just use a strong public key with passphrase.

    • @Woet

      Security through obscurity would be changing the SSH Port from 22 to 2299 or any other open and valid port. SSH is still running, you've simply changed the port and, with enough time, any attacker could eventually test the ports to find out what the new port is by simply swapping IP's each time there's a failure and resulting block.

      When it comes to disabling root login, you're not changing how the root user logs in or the username, you're stopping root logins completely. The root user is no longer a valid user to login with at this point, and all attempts automatically fail. The new sudo user, even with the ability to escalate, still has to have yet another password to do so, thus this isn't obscurity. It's actually common practice and a best practice.

@psmod2

Setting PasswordAuthentication to no enforces the use of SSH Keys for user accounts instead of plain-text passwords.

Disabling password authentication is far more secure and a much better option, though it does mean that you will have to keep up with your SSH Keys locally, otherwise you won't be able to log in.

https://www.freebsd.org/cgi/man.cgi?sshd_config(5)

Console in DigitalOcean is unaffected since it doesn't use SSH.

  • I checked the two options on that site, and I'm still unclear.

    They seem to do the same - so am i supposed to use both:

    PasswordAuthentication no and PermitRootLogin without-password

    • PermitRootLogin applies to root, PasswordAuthentication applies to all users.

      • @psmod2

        It's also important to note that if you set PermitRootLogin to no and the root user is the only one you have an SSH Key setup for, you won't be able to login even with the SSH key. While disabling root logins is recommended, you need to be absolutely sure that your sudo user is correctly setup and able to elevate their permissions before you restart SSH with this setting.

        If you've not yet setup a sudo user, do not disable root logins.

        • Thanks for that.

          Question - What's so important about making a sudo user, wounldn't that just be the same as root. Or is it to avoid the use of a user known as 'root'?

          • It's not important, just use the root user with a strong public key and passphrase.

          • And when i create a non sudo user to access my mongodb - I'll have password login disabled, so do i simply use the same public key for them to login or have a unique one? (This would be on my node.js app droplet)

Have another answer? Share your knowledge.