ssh allowing root login with no password

Steven Buehler steve at ibushost.com
Tue May 10 13:21:17 UTC 2011 


-----Original Message-----
On 05/09/11 15:18, Steven Buehler wrote:
> I am trying to setup our servers to only allow logins with a 
> public/private key pair.  2 of our machines have to have root login 
> access with ssh and the rest, we will login as another account and su 
> to root.  I just started with this company and on their boxes which 
> range from version 5.1 to 5.5, if I open up the firewall to allow ssh 
> access from anywhere, I can ssh to root without a password.  The only 
> uncommented lines in the /etc/ssh/sshd_config are the following:
>
>   [snip]
>
>
> I'm hoping that someone can lead me in the right direction as I can't 
> figure this one out.  If this was only one machine, I would assume 
> that it might have been hacked, but this is all of their servers and 
> VM's that will allow me to ssh to them without a login/password and 
> get into root.  Luckily, they have always had their (supposedly 
> anyway) iptables set to only allow access from specific IP's.
>
>

Change / uncomment PermitRootLogin with a value of without-password

--

I changed the line to read
PermitRootLogin without-password

It still allows a root login without a password or key.

Someone else suggested that there was an authorized_keys file and a known
hosts file.  I was able to get to these servers from my own personal servers
that have NEVER ssh'd to these servers before, so the known hosts file from
the client server was empty since it is actually a fresh install of mine.
The authorized_keys file on the sshd server does have 2 keys in it.  Those 2
private keys are NOT on the client server, so there should be no reason it
lets me in from the remote (client) server.

I have copied over my sshd_config file from one of my personal servers where
I know they work and I still have the problem.

Below is my new sshd_config file after some changes on one of the servers
that I need to have root login with a key and not password, but it still
allows login without either.  I don't know what they did when they setup
these machines, but it is really ticking me off.

Protocol 2   
SyslogFacility AUTHPRIV
PermitRootLogin without-password
StrictModes yes
PubkeyAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication no
ChallengeResponseAuthentication no  
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes 
UsePAM no
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY
LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT 
AcceptEnv LC_IDENTIFICATION LC_ALL
X11Forwarding yes
Subsystem       sftp    /usr/libexec/openssh/sftp-server

More information about the redhat-list mailing list