bugzilla-daemon at mindrot.org
2006-Aug-09 16:48 UTC
[Bug 1216] Warn via Logwatch when sshd PermitRootLogin is in effect
http://bugzilla.mindrot.org/show_bug.cgi?id=1216
Summary: Warn via Logwatch when sshd PermitRootLogin is in effect
Product: Portable OpenSSH
Version: 4.3p2
Platform: ix86
OS/Version: Linux
Status: NEW
Severity: enhancement
Priority: P2
Component: sshd
AssignedTo: bitbucket at mindrot.org
ReportedBy: russell.don at gmail.com
I originally entered this as a Linux Fedora Core 5 bug/rfe:
Ref. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=201794
I was referred "upstream", and here I am. :-)
For various reasons, allowing root acess by default is desirable.
That's fine.... I'm not asking to change the default.
It would be beneficial to bring that little gem to sysadmins' attention
by producing a periodic (daily) warning via the Logwatch report.
I would like to see something in my Logwatch report (SSHD section)
like:
Warning: root access is allowed via ssh. Ref /etc/ssh/sshd_config
Perhaps a new option in /etc/ssh/sshd_config:
PermitRootLoginWarn yes
Or, as the Fedora people suggested, perhaps a new value for the
PermitRootLogin option:
yes - allow access (default)
no - deny access
warn - implies "allow access", issue periodic (daily) warning via
logwatch mechanism.
Personally, I prefer a new option keyword, I think it is more clear.
Both options should be anabled by default, the syadmin can then make an
informed decision:
1 - turn off the warning (yes, I know, I want that)
2 - deny root logon (say what?! Thanks for telling me, I'll stop that
right now)
3 - I like seeing the warning everyday :-)
Thanks :-)
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2006-Aug-09 21:28 UTC
[Bug 1216] Warn via Logwatch when sshd PermitRootLogin is in effect
http://bugzilla.mindrot.org/show_bug.cgi?id=1216 ------- Comment #1 from dtucker at zip.com.au 2006-08-10 07:28 ------- I don't see any point to this. If you want something like this just add a cron job: egrep -i '^permitrootlogin.*no' /etc/ssh/sshd_config || logger root login allowed via ssh ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2006-Aug-09 21:47 UTC
[Bug 1216] Warn via Logwatch when sshd PermitRootLogin is in effect
http://bugzilla.mindrot.org/show_bug.cgi?id=1216 ------- Comment #2 from russell.don at gmail.com 2006-08-10 07:47 ------- (In reply to comment #1)> I don't see any point to this.The point is that after an initial install, root login is permitted via a remote connection. (granted, authentication is still required, I'm not suggesting that un-authenticated access is allowed.) If people knew enough to add the suggested cron job, then they also know enough to ensure the PermitRootLogin option is correct for their own environment and therefore do not need the cron jb. If sshd scheduled such a cron job when starting and seeing both "PermitRootLogin yes" and "PermitRootLoginwarn yes" options set, there would be no "surprises". Thanks for your consideration. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2006-Aug-09 21:57 UTC
[Bug 1216] Warn via Logwatch when sshd PermitRootLogin is in effect
http://bugzilla.mindrot.org/show_bug.cgi?id=1216
dtucker at zip.com.au changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WONTFIX
------- Comment #3 from dtucker at zip.com.au 2006-08-10 07:57 -------
Even in your proposal you had the default as "yes" (ie no warning), so
the admin would still have to explicitly enable it. If you want to
enable something, enable a cron job.
So, no, I don't think we'll be implementing this.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2006-Aug-09 22:07 UTC
[Bug 1216] Warn via Logwatch when sshd PermitRootLogin is in effect
http://bugzilla.mindrot.org/show_bug.cgi?id=1216 ------- Comment #4 from russell.don at gmail.com 2006-08-10 08:07 ------- Yes, my example showed the PermitRootLogin yes (default) That should have read (current default) and then the warn setting became the new defalt option, if you opted to add a new value to the PermitRootLogin option. Anyway... WONTFIX.... Thant's fine, all I can do is make the suggestion. It doesn't affect me (anymore),I just thought it would be little effort, and help new users. Thanks for the speedy replies. Regards. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.