More than once, I've needed root access to a server over SCP. As we all know, allowing SSH access with the root user is a blaring security hole because the user is a well-known userid with superuser access. This makes it the first thing that a hacker or script-kiddie will check. If you create another user with userid number 0 and set PermitRootLogin to 'no' in the sshd_config file, you will still not be able to login. The PermitRootLogin option actually blocks ANY user if their user id number equals 0. So how do we get the best of both worlds, here is how.
- openssh 4.x
- pam_listfile.so (part of core pam modules)
- Create a non-root user with user ID number 0.
#> useradd -u0 -o testuser #> passwd testuser
- Create list of users that will be denied. One username per a line.
#> echo "root" >> /etc/ssh/sshd.deny
- Now you need to edit the /etc/pam.d/ssh file. Make a backup of this file. If you make a mistake, you may not be able to login with any user. I also recommend login another terminal session running as root before changing this file. This will make sure you have an available root session to fix any mistakes you make. See a configuration line like the following:
auth include system-auth
now add the following line before the previously mentioned pam configuration line.
auth required pam_listfile.so item=user sense=deny file=/etc/ssh/sshd.deny onerr=succeed
Your 'auth' directives in the /etc/pam.d/ssh should look like this:
auth required pam_listfile.so item=user sense=deny file=/etc/ssh/sshd.deny onerr=succeed auth include system-auth
- Now you need to allow root logins in ssh daemon. This is done by setting the PermitRootLogin in the /etc/ssh/sshd_config to 'yes'. This may be the default depending on the distribution you use.
Save and exit the sshd_config file.
- Restart/Reload ssh daemon to apply changes.
#> service sshd reload
First test your new root ID:
#> ssh email@example.com firstname.lastname@example.org's password: Last login: Fri Apr 15 13:45:38 2011 from 10.1.1.128 [root@CentOS ~]#
Next test logging as root:
#> ssh email@example.com firstname.lastname@example.org's password: Permission denied, please try again. email@example.com's password:
Now you should be able to login with your non-root user that will have root access. If you try to login with root, you will allows get "Permission denied, please try again." This allows you to login with a root level user without having the blaring security hole of allowing a well-known superuse access.For even better security, look in to limiting where certain users can login in from. This can also be done with PAM.