disable direct ssh root login

nothub · Dec 18, 2023 · 676f928 · 676f928
1 parent 893c7ad
commit 676f928
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 8 deletions.
diff --git a/configs/sshd_config b/configs/sshd_config
@@ -13,9 +13,16 @@ AuthenticationMethods publickey
 LogLevel VERBOSE
 
 # Log sftp level file access (read/write/etc.) that would not be easily logged otherwise.
-Subsystem sftp  /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
+Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO
+
+# Root login is not allowed for auditing reasons. This is because it's difficult to track which process belongs to which root user:
+#
+# On Linux, user sessions are tracking using a kernel-side session id, however, this session id is not recorded by OpenSSH.
+# Additionally, only tools such as systemd and auditd record the process session id.
+# On other OSes, the user session id is not necessarily recorded at all kernel-side.
+# Using regular users in combination with /bin/su or /usr/bin/sudo ensure a clear audit track.
+PermitRootLogin no
 
-PermitRootLogin prohibit-password
 LoginGraceTime 1m
 UseDNS no
 PrintMotd no

diff --git a/installer/late.sh b/installer/late.sh
@@ -36,12 +36,6 @@ if test "${sudonopw}" = "true"; then
     echo "${admin} ALL=(ALL) NOPASSWD: ALL" > "${prefix}/etc/sudoers.d/${admin}"
 fi
 
-# authorize ssh keys for root user
-mkdir -p  "${prefix}/root/.ssh"
-chmod 700 "${prefix}/root/.ssh"
-cp -a "/cdrom/configs/authorized_keys" "${prefix}/root/.ssh/authorized_keys"
-chmod 640 "${prefix}/root/.ssh/authorized_keys"
-chown "0:0" "${prefix}/root/.ssh/authorized_keys"
 # authorize ssh keys for admin user
 mkdir -p  "${prefix}/home/${admin}/.ssh"
 chmod 700 "${prefix}/home/${admin}/.ssh"