Why is Ubuntu 22 still permitting login as root

sshUbuntu

Running Ubuntu 22, it still allows me to log in via SSH as root-user.

I run the following configuration in /etc/ssh/sshd_config:

PasswordAuthentication no
PermitEmptyPasswords no
PubkeyAuthentication yes
PermitRootLogin no

Full content:

Include /etc/ssh/sshd_config.d/*.conf

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin without-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no
PubkeyAuthentication yes
PermitRootLogin no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem   sftp    /usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#   X11Forwarding no
#   AllowTcpForwarding no
#   PermitTTY no
#   ForceCommand cvs server

Running the command

strings $(which sshd) | grep -i "sshd_config"

shows the correct path for the config file:

/etc/ssh/sshd_config

Command:

ls -l /etc/ssh/sshd_config.d/*.conf

ls: cannot access '/etc/ssh/sshd_config.d/*.conf': No such file or
directory

> sshd -T


port 22
addressfamily any
listenaddress [::]:22
listenaddress 0.0.0.0:22
usepam yes
logingracetime 120
x11displayoffset 10
maxauthtries 6
maxsessions 10
clientaliveinterval 0
clientalivecountmax 3
streamlocalbindmask 0177
permitrootlogin without-password
ignorerhosts yes
ignoreuserknownhosts no
hostbasedauthentication no
hostbasedusesnamefrompacketonly no
pubkeyauthentication yes
kerberosauthentication no
kerberosorlocalpasswd yes
kerberosticketcleanup yes
gssapiauthentication no
gssapicleanupcredentials yes

This shows:

permitrootlogin without-password

Also, I figured out, that as a normal user, I can't login via "su" as root. But from outside I can signin via SSH.

I have restarted the sshd-service several times and even rebootet the server.

The directory

I want to achieve that no root can login anymore, only dedicated users via SSH.
How to achieve that?

Best Answer

Because, according to the sshd_config man page:

Unless noted otherwise, for each keyword, the first obtained value will be used.

And in your config file, PermitRootLogin without-password comes before PermitRootLogin no. The safest course of action is to comment out all other instances pf PermitRootLogin before trying to set it.

Related Solutions

Ssh – How to automate SSH login with password

Don't use a password. Generate a passphrase-less SSH key and push it to your VM.

If you already have an SSH key, you can skip this step… Just hit Enter for the key and both passphrases:

$ ssh-keygen -t rsa -b 2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.

Copy your keys to the target server:

$ ssh-copy-id id@server
id@server's password:

Now try logging into the machine, with ssh 'id@server', and check-in:

.ssh/authorized_keys

Note: If you don't have .ssh dir and authorized_keys file, you need to create it first

to make sure we haven’t added extra keys that you weren’t expecting.

Finally, check to log in…

$ ssh id@server

id@server:~$

You may also want to look into using ssh-agent if you want to try keeping your keys protected with a passphrase.

Sshd on mac does no longer accept connections in inetd (-i) mode, but does in do not detach mode (-D), how to fix

It's pretty non-standard to use initd to start anything on a Mac. Instead, launchd is used, kicking off sshd in an ad hoc fashion (ie, it doesn't run as a typical server daemon until there's knock on the door). I suspect that your use of Linux-centric Webmin to manage ssh is contributing to the problem, since Webmin doesn't know a whole lot about launchd.

First, make sure the ssh launchd item is configured to load, just to eliminate the obvious.

sudo launchctl load -w /System/Library/LaunchDaemons/ssh.plist

This is akin to ticking the box on Server Admin.app in the Settings options to enable SSH. Check syslog to see if launchctl is complaining about something.

It's unclear why you would want Webmin to handle SSH, but Apple's default configuration might be illuminating.

There's a launchd item in /System/Library/LaunchDaemons called sshd.plist. This XML file indicates that /usr/libexec/sshd-keygen-wrapper is used as the "program" that actually kicks off /usr/sbin/sshd using the -i flag. (The sshd-keygen-wrapper program is a shell script to first set up initial rsa and dsa keys in empty user home dirs.) The sshd-keygen-wrapper, however, also kicks off sshd like exec /usr/sbin/sshd $@ and is a trusted/whitelisted program as far as the socket firewall is concerned.

You might also want to grab the default /etc/sshd_config from backup or another machine to eliminate that as a variable in troubleshooting.

Best Answer

Related Solutions

Ssh – How to automate SSH login with password

Sshd on mac does no longer accept connections in inetd (-i) mode, but does in do not detach mode (-D), how to fix

Related Topic