Linux – How to limit root to being able to only login on the console via /etc/security/access.conf

consolelinuxrootssh

I know that I can prevent root from logging in via ssh with /etc/ssh/sshd_config but the auditors also want to see it done in /etc/security/access.conf as well.

It seems doable but I can't determine the correct syntax or order?

To test I am permitting root login in /etc/ssh/sshd_config and then attemptig to login via ssh.

Best Answer

When someone logs in, the file access.conf is scanned for the first entry that matches... User root should be denied to get access from all other sources.

- : root : ALL

Quoted from the manpage

In my opinion that's just wrong. root should definitely be allowed to log in when a user has physical access to the box.

I do count IPMI as physical access, if you don't want that unplug the cable, it's the only way to be sure that you do have to stand in front of the box to have the equivalent of physical access. In some environments I even have the tendency to have a root terminal running without the need to log in -- given that proper access control to the facility is in place.

Why: sudo might fail, and giving the root password to a bunch of people so that they can login just generates problems, you'd have to change the password quite often in larger teams since there'll always be fluctuation. With an "open" root terminal there are no password worries -- all under the assumption that proper access control is there and that IPMI access is secured as well with personalized accounts

(No go downvote me for that, I can imagine that there are a ton of reasons against that but I find that to be a better -- more practical -- solution than to have a password policy for root which will sooner or later be forgotten. And if you then do need root access you have to jump in squares to get the "Password of the day")

Related Solutions

Linux – Restrict root ssh from all but one IP/hostname

In /etc/ssh/sshd_config

# Disable Root login
PermitRootLogin no
#
# [ . . . ]
#
# At the end of the file, add:
#
# Allow Root Login via Key from Admin Bastion
Match Address 10.9.8.7
        PermitRootLogin without-password

Redhat – Disable local root login, permit root login over ssh

Yes.

Create a SSH key for root & add the public half to ~/root/.ssh/authorized_keys.
Edit /etc/ssh/sshd.conf - Set PermitRootLogin to without-password
Restart sshd
TEST IT -- Make sure you can log in as root over SSH using the key.
- TEST SINGLE USER MODE - Make sure it doesn't ask for root's password (Once you complete step 5 root will no longer be able to log in using a password, so and breaking single-user mode can be a Bad Thing)
Lock out root's login password (replace the password field in /etc/shadow with *, x, etc.)

Notes:

Your machine can still be rooted by anyone who can walk up to the console (because single-user mode won't ask for a password), but your machine will go down when they try it so you'll theoretically know.
- If you configure single-user mode to require a password the only way to perform recovery work on your system is to use a recovery CD, and you're in the same security boat as above, but now the hacker is annoyed.
Your machine's network profile is now only as secure as root's SSH key, so make sure to set a good passphrase & keep the key in a secure place.
If you lose the SSH key the only way to get back in to the system as root is to reboot in single-user mode (or hack your own box).

An alternate configuration is also possible where a separate sshd that listens for root logins is only avaliable on localhost & you use agent forwarding to log in as root. I know at least one major corporation that has that configuration, and it adds one more layer of security (and complexity).

Best Answer

Related Solutions

Linux – Restrict root ssh from all but one IP/hostname

Redhat – Disable local root login, permit root login over ssh

Related Topic