Mageia forum

[simonhoare]

In OpenSSH server (Cauldron, beta 2), the default in the sshd_config file is PermitRootLogin without-password.
Whenever I change this to PermitRootLogin no and enter sudo service sshd reload, as soon I reboot the setting is back to without-password.

Is this a bug or a feature?

According to my limited understanding of SSH, this suggests anyone can log in to my system unchallenged. Surely no one wants that. Except hackers maybe.

[alf]

I think it's because msec overwrites these settings. Have a look into MCC --> security --> configure system security ... --> security settings --> network security. Value of Parameter ALLOW_REMOTE_ROOT_LOGIN is responsible for this behavior.

[simonhoare]

Yes, that was it. Thank you.

Bit of an adjustment in logic, coming from Debian.

[simonhoare]

By the way, is it functioning as designed or should I open a bug report?

[alf]

Well,I think it's a feature not a bug. MCC is intended to do all your setting in one tool.

[martinw]

I think "without-password" has the opposite meaning to what you think. From 'man sshd_config' I get

If this option is set to “without-password”, password authentication is disabled for root.

i.e. root can only log in using public key authentication. So it is more secure than setting the option to "yes", not less.

Doing a quick test here, I find that you are still presented with a password prompt if you try to connect as root, but the root password is not recognised.

[djennings]

If msec is changing your sshd configuration for you, then you must have selected a fairly high security level. With the default security level msec would not change those settings.

It is reassuring to know that msec is doing it's job, but if you are not familiar with it then it can seem odd that security settings change on their own accord.

You can browse how msec is configured for all the security levels in MageiaControlCentre>Security, and you can override any of the defaults.

[simonhoare]

Ah - that's reassuring. But "no" is even more secure, right? I basically have another PC that I use as a practise local server. I only ever want to SSH into that machine without anybody being able to SSH into the main machine. So "no" is more appropriate for that than without password, right?

Still, it's nice to know there wasn't a security hole.

Re the settings, I don't know. Knowing myself - as I should - if I'd been given a choice between a higher and a lower level of security I would have taken the higher level.

[doktor5000]

Re the settings, I don't know. Knowing myself - as I should - if I'd been given a choice between a higher and a lower level of security I would have taken the higher level.

Well, you get the choice during initial installation, on the summary page: http://doc.mageia.org/installer/2/en/co ... s-security

[martinw]

Ah - that's reassuring. But "no" is even more secure, right? I basically have another PC that I use as a practise local server. I only ever want to SSH into that machine without anybody being able to SSH into the main machine. So "no" is more appropriate for that than without password, right?

Theoretically, yes. But normally there won't be any keys stored in /root/.ssh, so nobody could connect as root using key authentication unless they could get in and install some keys. So I don't think it provides any greater security against an initial attack, but there is an argument that it provides a way for a successful attacker to leave a door open for future exploits. But to protect against that, you also need something like msec that gaurds against changes to the sshd config.

For your main requirement, just disable the ssh server on your main machine. That way nobody can connect to it, even if they've gained access to your practise server.

P.S. Statements here are true to the best of my knowledge - but I don't claim to be a security expert!

[simonhoare]

Thanks, Martin.

Incidentally, I notice that Mandriva has more documentation (or so it seems). Is it useful to read that documentation or would it just confuse someone learning Mageia?

[djennings]

By all means refer to the Mandriva documentation.
I believe msec has been overhauled post the fork from Mandriva so the Mandriva documentation may not be entirely accurate.

You will find your msec logs at /var/log/security
If you put a valid mail address on MageiaControlCentre>Security>Security you will get daily and weekly email reports from msec, but the email will only work if you have a mail MTA installed such as postfix. If you do not intend to run a postfix mail server then dma is a light weight alternative https://wiki.mageia.org/en/Dma_Dragonfly_Mail_Agent

Another useful source of documentation is http://www.howtoforge.com/
There are plenty of HOWTO's for Mandriva that work just as well with Mageia. (Guides for PClinuxOS are usually OK too)