Root access over SSH enabled by default
#1
Hi all,

I just wanted to mention a security issue I noticed today when I finally got to play with my new PBP.
It appears that SSH is enabled on startup, and that root access via ssh enabled by default.

With the default un/pw being root/root, this is definitely not recommended.

For those not familiar, you can simply issue this command from another linux machine:
ssh {your PBP ip address here} -l root

Once logged in as root (either remotely or locally) you can modify your ssh config:
vi /etc/ssh/sshd_config

On line 32, you will see:
PermitRootLogin yes

Change to:
PermitRootLogin no

Save the changes to sshd_config

If you are doing this remotely, close the session by issuing:

exit

Open a terminal locally on your PBP and restart the ssh service:
sudo systemctl stop sshd
sudo systemctl start sshd

Now if you try to ssh directly to the root account, you will be denied, however, you can sudo your way to root from a sudoers account.

If you don't use ssh normally, you can disable automatic sshd startup:
sudo systemctl disable sshd

If you have disabled ssh on startup, you will have to start it manually to use it:
sudo service ssh start

I would suggest you change the password for both root and your standard user. Make them strong  Wink
I would also suggest that if you're going to run around with SSH enabled, you create a separate non-sudoer user for use with ssh, and deny ssh access to your sudoer accounts (unless you really need that level of remote control).

I'm really enjoying this little machine so far.

Cheers!
#2
Great post Gibby.
I'm certain I would have forgotten to check this for a few weeks or months.
I'll bookmark this and check all services running with systemctl when my pinebook arrives. Big Grin
#3
(11-01-2019, 07:07 PM)gibby Wrote: Hi all,

I just wanted to mention a security issue I noticed today when I finally got to play with my new PBP.
It appears that SSH is enabled on startup, and that root access via ssh enabled by default.

With the default un/pw being root/root, this is definitely not recommended.

For those not familiar, you can simply issue this command from another linux machine:
ssh {your PBP ip address here} -l root

Once logged in as root (either remotely or locally) you can modify your ssh config:
vi /etc/ssh/sshd_config

On line 32, you will see:
PermitRootLogin yes

Change to:
PermitRootLogin no

Save the changes to sshd_config

If you are doing this remotely, close the session by issuing:

exit

Open a terminal locally on your PBP and restart the ssh service:
sudo systemctl stop sshd
sudo systemctl start sshd

Now if you try to ssh directly to the root account, you will be denied, however, you can sudo your way to root from a sudoers account.

If you don't use ssh normally, you can disable automatic sshd startup:
sudo systemctl disable sshd

If you have disabled ssh on startup, you will have to start it manually to use it:
sudo service ssh start

I would suggest you change the password for both root and your standard user. Make them strong  Wink
I would also suggest that if you're going to run around with SSH enabled, you create a separate non-sudoer user for use with ssh, and deny ssh access to your sudoer accounts (unless you really need that level of remote control).

I'm really enjoying this little machine so far.

Cheers!


It looks my pinephone does NOT come with SSH enabled?
Welcome to Longer Vision
https://www.longervision.ca
#4
One other thing, the original Debian did not create, (or re-generate), the SSH host keys on first boot. Looks like it used the host keys from the distribution. This should not be done. All SSH host keys should be unique per computer. It's part of SSH's security.

I wrote a tutorial page about "hardening" your Pinebook Pro, which included re-generating the SSH host keys here;

Hardening your Pinebook Pro software
--
Arwen Evenstar
Princess of Rivendale


Possibly Related Threads…
Thread Author Replies Views Last Post
  Nethunter default password failed lamlarryyyy 0 267 11-23-2023, 02:48 AM
Last Post: lamlarryyyy
  Encrypted Root jaredoconnor 1 908 01-19-2023, 02:27 PM
Last Post: Cs137
  Arch Linux ARM root filesystem SKiljan 24 20,119 09-24-2022, 03:11 AM
Last Post: alexandre
  suddenly the terminal won't accept me as root hayduke 1 930 09-21-2022, 07:37 PM
Last Post: wdt
Music No sound on PBP default installation ivek 9 9,046 05-09-2021, 05:58 PM
Last Post: binholz
  RealVNC and root password mspohr 6 8,308 10-20-2020, 06:01 AM
Last Post: regivanx
  curious why KDE by default? dieselnutjob 7 7,547 07-18-2020, 03:21 PM
Last Post: Damon
  How to boot from eMMC but have root directory on an NVME? QazTheWsx 7 9,266 06-26-2020, 08:20 AM
Last Post: QazTheWsx
  Better (than default Debian/MATE) Linux distro? mspohr 34 35,247 06-11-2020, 01:34 PM
Last Post: s3rvant
  Slow WiFi on Manjaro Default Image 20.04 for PBP SuperUJ 8 9,307 05-28-2020, 08:16 PM
Last Post: nekojet

Forum Jump:


Users browsing this thread: 1 Guest(s)