From 676f928b7a1755264cd1e7e5e8ab2c9e7ef1561a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Florian=20H=C3=BCbner?= Date: Mon, 18 Dec 2023 04:38:31 +0100 Subject: [PATCH] disable direct ssh root login --- configs/sshd_config | 11 +++++++++-- installer/late.sh | 6 ------ 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/configs/sshd_config b/configs/sshd_config index e9605bd..709d238 100644 --- a/configs/sshd_config +++ b/configs/sshd_config @@ -13,9 +13,16 @@ AuthenticationMethods publickey LogLevel VERBOSE # Log sftp level file access (read/write/etc.) that would not be easily logged otherwise. -Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO +Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO + +# Root login is not allowed for auditing reasons. This is because it's difficult to track which process belongs to which root user: +# +# On Linux, user sessions are tracking using a kernel-side session id, however, this session id is not recorded by OpenSSH. +# Additionally, only tools such as systemd and auditd record the process session id. +# On other OSes, the user session id is not necessarily recorded at all kernel-side. +# Using regular users in combination with /bin/su or /usr/bin/sudo ensure a clear audit track. +PermitRootLogin no -PermitRootLogin prohibit-password LoginGraceTime 1m UseDNS no PrintMotd no diff --git a/installer/late.sh b/installer/late.sh index 6cd254a..21dfa64 100755 --- a/installer/late.sh +++ b/installer/late.sh @@ -36,12 +36,6 @@ if test "${sudonopw}" = "true"; then echo "${admin} ALL=(ALL) NOPASSWD: ALL" > "${prefix}/etc/sudoers.d/${admin}" fi -# authorize ssh keys for root user -mkdir -p "${prefix}/root/.ssh" -chmod 700 "${prefix}/root/.ssh" -cp -a "/cdrom/configs/authorized_keys" "${prefix}/root/.ssh/authorized_keys" -chmod 640 "${prefix}/root/.ssh/authorized_keys" -chown "0:0" "${prefix}/root/.ssh/authorized_keys" # authorize ssh keys for admin user mkdir -p "${prefix}/home/${admin}/.ssh" chmod 700 "${prefix}/home/${admin}/.ssh"