Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'ssh'ing in as root is a bad idea' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
ssh'ing in as root is a bad idea
Authored by: bentucker on Oct 14, '04 01:49:31PM

Okay, I know this isn't what this post is about, but logging into boxes as root is a just plain bad idea. The first thing you should do when setting up a machine is to disable ssh root login (it's in the .ssh/config file). Login as yourself and then use sudo as needed or in extreem cases /bin/su -. It's a MUCH smarter and safer approach.



[ Reply to This | # ]
ssh'ing in as root is a bad idea
Authored by: extra88 on Oct 14, '04 02:35:24PM

I agree but the given file name/path is incorrect. To disable logging in as root for the SSH server, edit the file /etc/sshd_config

Find this line:
#PermitRootLogin yes

and change it to this:
PermitRootLogin no

If there is no PermitRootLogin line in the config file (OS X includes it by default but I'm not sure all do), just add the line anywhere in the file.

Once you've finished editing the config file, stop and start the ssh server to load the updated config.



[ Reply to This | # ]
ssh'ing in as root is a bad idea
Authored by: epsilon on Oct 14, '04 04:22:36PM

ironic - just reading this from work, thought it would be a good idea... had to log into root via SSH to change it ;) lol



[ Reply to This | # ]
ssh'ing in as root is a bad idea
Authored by: bentucker on Oct 14, '04 08:14:55PM

Thanks for the config file correction! Sorry about that.



[ Reply to This | # ]
sudo su - is another bad idea
Authored by: datasmid on Oct 14, '04 05:03:39PM

Yeah!!! and fix the sudoers file when you can!

MacOSX sudo su - gives root to any admin, sudo was meant to keep users from suing to root and to keep them from editing sudoers. sudo was meant to delegate SOME commands to SOME users from SOME hosts.

PROPOSED FIX
1 Enable the root user in NetInfo
2 Populate the wheel group in NetInfo with the user allowed to become root
3 sudo visudo enter the hashmark like:
#%admin ALL=(ALL) ALL
4 chmod o-rx /usr/bin/su



[ Reply to This | # ]
sudo su - is another bad idea
Authored by: bentucker on Oct 14, '04 08:21:49PM

Yes. Also it's a good habit to explicitely run /bin/su -, rather than just su -. Reduces chance of someone throwing another su into the search path and grabbing your password.



[ Reply to This | # ]
sudo su - is another bad idea
Authored by: EddEdmondson on Oct 15, '04 05:08:19AM
No, that's all back to front, surely?

I'd assume that an 'admin' user is allowed to do root operations, and sudo just helps prevent them doing a lot of them by accident.

If you don't want a user to be root then don't make them an admin. You can tweak the sudoers file to give them any additional permissions beyond normal.

Admittedly Apple's use of 'sudo' here is perhaps a bit non-standard but then the idea of 'admin' users is just about as non-standard.

[ Reply to This | # ]