Scribd Logo
Upload

Welcome to Scribd!

  • RH124 - ch10s05

    Uploaded by

    felip
    3 views1 page
    The document discusses customizing the OpenSSH service configuration to strengthen security. It recommends prohibiting direct logins as the root user and password-based authentication by editing the /etc/ssh/sshd_config file. The PermitRootLogin parameter should be set to "no" to prevent remote root logins, or set to "prohibit-password" to allow key-based authentication for the root user only.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses customizing the OpenSSH service configuration to strengthen security. It recommends prohibiting direct logins as the root user and password-based authentication by editing the /etc/ssh/sshd_config file. The PermitRootLogin parameter should be set to "no" to prevent remote root logins, or set to "prohibit-password" to allow key-based authentication for the root user only.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    3 views1 page

    RH124 - ch10s05

    Uploaded by

    felip
    The document discusses customizing the OpenSSH service configuration to strengthen security. It recommends prohibiting direct logins as the root user and password-based authentication by editing the /etc/ssh/sshd_config file. The PermitRootLogin parameter should be set to "no" to prevent remote root logins, or set to "prohibit-password" to allow key-based authentication for the root user only.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 1

    25/8/23, 20:06 RH124 - ch10s05

    Customize OpenSSH Service Configuration


    Objectives
    Disable direct logins as root and password-based authentication for the OpenSSH service.

    Configure the OpenSSH Server


    The sshd daemon provides the OpenSSH service. You can configure the service by editing the /
    etc/ssh/sshd_config file.

    The default configuration of the OpenSSH server works well for many use cases. However, you might want to make some changes to strengthen the
    security of your system. You might want to prohibit direct remote login to the root account, and you might want to prohibit password-based
    authentication (in favor of SSH private key authentication).

    Prohibit the Superuser from Logging In


    It is a good practice to prohibit direct login to the root user account from remote systems. Some risks of allowing direct login as the root user include
    the following cases:

    The root username exists on every Linux system by default, so a potential attacker needs only to guess the password, instead of a valid
    username and password combination. This scenario reduces complexity for an attacker.

    The root user has unrestricted privileges, so its compromise can lead to maximum damage to the system.

    From an auditing perspective, it can be hard to track which authorized user logged in as the root user and made changes. If users must log in as
    a regular user and switch to the root account, then you can view a log event for accountability.

    Important
    Starting in Red Hat Enterprise Linux 9, the PermitRootLogin parameter is set to the prohibit-password value by default. This value
    enforces the use of key-based authentication instead of passwords for logging in as the root user, and reduces the risk of brute-force
    attacks.

    The OpenSSH server uses the PermitRootLogin configuration setting in the /etc/ssh/sshd_config file to allow or prohibit users to log in to the
    system as the root user, as in the following example:

    PermitRootLogin yes

    If the PermitRootLogin parameter is set to the yes value, then anyone can log in as the root user remotely. To prevent this situation, set the value
    https://rha.ole.redhat.com/rha/app/courses/rh124-9.0/pages/ch10s05/85223ae4-a208-4a0c-8807-f8580dad018f 1/1
    to no. Alternatively, to prevent password-based authentication but to allow private key-based authentication for root, set

    You might also like