Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Disable root access via SSH Network
Since the 10.0.1 update has been released, one of the new features is the implementation of SSH/SSHD. First thing I always do after an install of SSHD is edit a few items in the sshd_config file.

- At your terminal, 'su -' to your root account
- 'pico -w /etc/sshd_config'
- Look for the line containing "PermitRootLogin yes"
- Simply change this line to read "PermitRootLogin no"
- Save your changes and exit the editor
- Open your "System Preferences" from the Dock, and choose "Sharing"
- If the check box beside remote access is not selected, turn it on if you wish for SSH access to be enabled. If it is already selected, then just cycle it. Click it off, then back on.

...unless of course you want to allow someone one step closer to controlling your machine remotely. ;)

-J.
    •    
  • Currently 4.00 / 5
  You rated: 4 / 5 (3 votes cast)
 
[36,480 views]  

Disable root access via SSH | 7 comments | Create New Account
Click here to return to the 'Disable root access via SSH' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Very good idea
Authored by: JNieves on Apr 15, '01 11:44:14AM

This is a very good idea and not obvious to a UNIX newbie like me - but would this make much of a difference if you don't enable remote access?



[ Reply to This | # ]
It shouldn't...
Authored by: robg on Apr 15, '01 03:42:44PM

If you do not have remote access enabled, then the SSH server isn't running -- nobody will be able to connect as root or anything else.

-rob.



[ Reply to This | # ]
Isn't this the default?
Authored by: Anonymous on Apr 15, '01 12:08:20PM

Could someone more experienced in unix than I answer this question: Doesn't Apple deny root access by default?

If not, they REALLY REALLY SHOULD BE.



[ Reply to This | # ]
Isn't this the default?
Authored by: reverend on Apr 15, '01 04:49:35PM

You're moving into a very Microsoft-ish area by having the producer of the OS restrict means of access rather than putting it in the hands of the user. This is not DOS with XP running on top, where you have to ask MS for permission to install a new soundcard. This is UNIX, you are in control with Apple offering you suggestions but not telling you what you can and cannot do. This is the linux way of doing things. :) So, if you want root access for some strange reason, then you can have root access via SSH. This could be a viable situation be it on a machine behind a good firewall.



[ Reply to This | # ]
No root by default
Authored by: Anonymous on Apr 16, '01 02:04:51PM

By default, there is no root account activated in the first place.
So it wouldn't matter.

As an aside, it's a bit of a shock that people started telling everyone to enable root so quickly, since the general rule is if you know what root is, then you should also know the issues enabling root creates. Almost all of the tricks posted could have been done using sudo, which wouldn't have required enabling root at all... Mac OS X growing pains, I suppose.



[ Reply to This | # ]
Isn't this the default?
Authored by: romulis on Feb 11, '05 04:31:11AM

This is where marketing and reality don't quite coincide the way they should.

Marketing: Apple delivers OS-X with the root account disabled.
Reality: The root account ALWAYS exists on every unix machine.

The difference is that Apple is talking about login in directly as root (ie: when you sit down at your mac and login in as root from the login window, or at the shell's login prompt)

Unix, however, relies heavily on the root account. The root account is there, but the password has been set such that it can't be typed. Since root access is required to do anything with the system, the admin user has access to root via "sudo" (see the manpage for details). This makes the system fairly secure because you can't log in as root directly from anywhere, in short, apple has done it right.

The PermitRootLogin setting in ssh is really "yet another check" - even if someone could guess your root password, ssh would simply prevent that login from taking place - ignoring passwords, public keys etc.

The only "problem" is that if someone can guess YOUR password, they can log in as you, then they can run sudo, and then they have root access. Of course if you change root's password, then the ssh option might be of some help.

In short, if you're using a default setup, and YOUR password is relatively secure, you should have nothing to worry about... at least in this regard ;-)

Cheers,

Steve



[ Reply to This | # ]
Disable root access via SSH
Authored by: marcherman on Jun 10, '03 02:15:40AM

allow me to clarify that the deny root login option just blocks someone from logging in as the root user. it does NOT block access to the root as such for any authorised user with access to whatever homedirectory.
having said, i would greatly appreciate any help to help understand what (system)directories one is able to block using the system of accessprivileges.
in my experience with the application directory e.g. denying read access to 'everyone' confuses the system when restarting and causes it to hang during the login procedure.
weird stuff.



[ Reply to This | # ]