Ssh root login

Hi,

I have fount in /etc/ssh/sshd_config
PermitRootLogin yes

According to this option, root can login over ssh.
On osmc OS, as osmc user I can became root with sudo su, but I don’t know the root password.

Anyway, I would like to prevent root login over ssh.
Is PermitRootLogin no everything I need?

As the wiki states https://osmc.tv/help/wiki/login

By default, OSMC ships with the root user disabled. You can enable it by typing the following command:sudo passwd root

So unless you set a password root will not be able to login.
But disabling the root access in ssh would be a double up protection.

Thanks

1 Like

there is no need to make an root password, you can just

sudo -s

when logged in as osmc.

Actually, with the newest builds, you cannot login to osmc via SSH with the root account, even if you’ve set a password previously.
This is due to the fact that OSMC uses PAM authentification and in the sshd_config file, the PermitRootLogin without-password should be changed to PermitRootLogin yes

Yes, loggin in with root is a major security risk. Yes, some people are aware of this, and don’t like to sudo at every f**in moment. Please grant the choice of free will to those people…

Linux used to be straight-forward…

Log in as user osmc and type once:
sudo su
Then you are logged in as root for the rest of the session.

You could even automate this command in a lot of ssh clients.

The choice is there, the users just need to edit the sshd_config file. If they are looking to log on as root then i’d hope they’d also know how to edit a config file.

I myself sudo su - and become root that way if sudoing every command in not acceptable.

1 Like

PermitRootLogin has defaulted to no since day one. This has not changed in “the newest builds”.

So type sudo -s after logging in then you are root for the rest of the session. Not that difficult ?

You have free will - edit /etc/ssh/sshd_config and customise the settings to your hearts content. OSMC updates will not changes these settings.

Nearly all Linux distributions for at least the last 10 years have discouraged directly logging in as root, including Debian, on which OSMC is based, so we are simply following accepted industry standards.

2 Likes

so fix sshd_config file its as simple as that takes less time then complaining here does.

then make the file unchangeable with chattr

No need to use chattr. OSMC updates respect user customisation of sshd_config since the October release. Prior to that it was not marked as a conffile in the debian package.

Actually something did change in the config, as in the past I was sufficient to just sudo passwd and give the root account a password to be able to log in with root.
I didn’t dig into the details, but I just wanted to point out that there is an additional step needed in order to make it work again.
Coming back to the idea, as long as it’s straight forward, yes, it’s better to have a good security. But no offense, this is not a straight-forward implementation. Not setting a root password, but setting ssd config to permit login without password , which later on in the PAM it’s denied … in is just not it.

Before you get too bent out of shape about the default configuration of sshd I’d like to point out that OSMC until recently used the exact same default sshd_config as upstream Debian.

We recently made one change, which was to comment out the “Banner” directive to stop OSMC reporting the OS type before a user logs in.

Well you’d need to dig into that to find what supposedly changed, because we only made this one Banner change to sshd_config in the entire time that OSMC has been available.

I don’t think it’s worth the effort digging in, as there is a ‘fix’ for it (although it took me some minutes to figure out what’s wrong).
But if you take a look at the first post, made by kriticar, maybe something did change:

Hi,

I have fount in /etc/ssh/sshd_config
PermitRootLogin yes

According to this option, root can login over ssh.

as now this option is not ‘yes’ , but ‘without-password’

Instead of guessing lets look at the facts. Here is the entire history of sshd_config as shipped with OSMC:

The very first version committed on Nov 9, 2014 did actually have PermitRootLogin without-password, I’ll grant you that, however it was changed to PermitRootLogin yes on Dec 21 2014 which is way before the June 2015 first stable release of OSMC. In fact it pre-dates any of the public Alpha releases as well.

So unless someone was running a pre-Alpha test build this setting has never changed in OSMC’s lifetime.

The very first version committed on Nov 9, 2014 did actually have PermitRootLogin without-password, I’ll grant you that, however it was changed to PermitRootLogin yes on Dec 21 2014 which is way before the June 2015 first stable release of OSMC. In fact it pre-dates any of the public Alpha releases as well.

I just want to see one more file, and I’m conviced :slight_smile:
/etc/pam.d/sshd
I’ve searched through the repo, but couldn’t find it…

That’s because that file is part of the Debian openssh-server package:

osmc@rpi2:~$ dpkg -S /etc/pam.d/sshd
openssh-server: /etc/pam.d/sshd

Eg we just use the Debian supplied version of this file. So you would need to check whether Debian have made any changes to this file in recent upgrades. Seems unlikely though.

I see.
So then I would say to end our arguing :slightly_smiling: