1

I've been poking around my OpsWorks instances and just realized they all appear to be configured with PermitRootLogin without-password. While this is more secure than PermitRootLogin yes I'd really like to disable this entirely on some specific instances. I have not been able to find any specific details on this topic or ROOT ssh access in general in the docs or through the usual methods of research.

Is this setting required for by AWS, OpsWorks, or some other service or utility?

J. Lawson
  • 86
  • 10
  • what for? Do you have any specific reason why would you want to disable it? – Jakuje Dec 14 '15 at 22:07
  • Just added security. There is no reason (sudo is enabled for a utility) for root to be logging in over SSH. Again, unless I'm missing something done by AWS/OpsWorks. In addition I just went a reviewed a test output of AWS Inspector and they even flag the setting as a moderate level of bad. – J. Lawson Dec 14 '15 at 22:09
  • Sorry. It was wrongly stated question. I meant why would you want to disable this option = allow root login over `ssh`. – Jakuje Dec 14 '15 at 22:12
  • Hmmm, too many double negatives maybe...? I **don't** want the root account to be able to ssh into these instances. This appears to be a default setting by AWS/OpsWork and I'd like to set `without-password` to `no` and disable the ability to ssh into the instance with root account. – J. Lawson Dec 14 '15 at 22:21

1 Answers1

0

Basically, if you know that your /root/.ssh/authorized_keys file is empty and also the global one (/etc/security/authorized_keys -- not sure if always enabled and used, probably not), the behavior is the same as if there was PermitRootLogin no, until somebody with root access will put his key to this file. But with such privileges, someone can do a lot of more nasty stuff.

Also if you screw up your sudoers file, it is useful to have some spare key in safe place so you can fix it (but I think there is always the way through the web console or something, so this case is no big threat).

About the requirement, I don't see any reason why it should be.

Jakuje
  • 9,145
  • 2
  • 40
  • 44
  • Sorry, got distracted and botched the comment: /root/.ssh/authorized_keys is not empty which was one of my concerns with disabling at the sshd_config level. Now that I've looked closer at that entry I see it actually refers the user to login with the utility account that comes default: no-port-forwarding,no-agent-forwarding,no-X11-forwarding,command="echo 'Please login as the user \"[utilityaccnt]\" rather than the user \"root\".';echo;sleep 10" ssh-rsa ------ ---- and kills the connection. Funny thing is AWS flags their own configuration as a security issue. – J. Lawson Dec 15 '15 at 19:45