Hi Damien, Thank you for the explanation and suggesting the option that does exactly what I want. The intention looks reasonable to me. I aclually have a related question about the reasoning: Why "PermitRootLogin no" is not a default option? That would be much secure and would make such kind of bruteforce attacks useless or at least much less effective for most of the users. On Sun, 22 Feb 2015 08:02:11 +1100 (AEDT) Damien Miller <djm at mindrot.org> wrote:> On Sat, 21 Feb 2015, tot-to wrote: > > > Steps to reproduce: > > 1) PermitRootLogin no in sshd_config > > 2) login with "root" user from other host > > > > Present behaviour: > > 1) it asks for password 3 times and only then close the connection. > > 2) cpu consumption during bruteforce "attacks". > > This is intentional behaviour. The intention is to not give clues as > to which accounts may be valid for login. > > > Expected behaviour: > > Immediate disconnect/login fail > > If you want this, then use: > > Match user root > MaxAuthTries 0 >
Philip Hands
2015-Feb-21 23:36 UTC
PermitRootLogin default (was: "PermitRootLogin no" should not proceed with root login)
tot-to <tot-to at tot-to.com> writes: ...> I aclually have a related question about the reasoning: > Why "PermitRootLogin no" is not a default option?"without-password" is the right default IMO, as suggested some time ago: https://bugzilla.mindrot.org/show_bug.cgi?id=2164 (and considerably earlier in Debian circles ;-) ) I'm glad to say that the default for the Debian package has finally switched to "without-pasword" for new installs in our upcoming release. I'd suggest it is pretty irresponsible allowing the default to remain as "yes" here upstream, especially given how popular brute-force attacks are these days. Given that nobody came up with any argument to maintain "Yes" as the default in response to that bug it seems a bit of a shame that inertia is apparently the controlling factor here. Cheers, Phil. -- |)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd. |-| http://www.hands.com/ http://ftp.uk.debian.org/ |(| Hugo-Klemm-Strasse 34, 21075 Hamburg, GERMANY -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 818 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150221/c9bb358f/attachment.bin>
Christoph Anton Mitterer
2015-Feb-21 23:53 UTC
PermitRootLogin default (was: "PermitRootLogin no" should not proceed with root login)
On Sat, 2015-02-21 at 23:36 +0000, Philip Hands wrote:> I'm glad to say that the default for the Debian packageUnfortunately, Debian overdid it quite a lot and also set a number of not so smart (respectively security-critical) defaults: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=765632 So it's like 1:1 ;-) Cheers, Chris. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 5313 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20150222/00b458e6/attachment.bin>