17
The man page states that PermitRootLogin
Specifies whether root can log in using
ssh(1).
However, it is not clear if this check is based on the user name ("root") or the UID (0).
What happens if the root account is renamed to "admin"? Will "admin" be able to log in when PermitRootLogin=no?
What happens if there are two accounts with UID=0, i.e. "root" and "admin"? Will either of them be able to login?
ge0rg
Posted 2016-08-24T12:00:45.553
Reputation: 272
16
It seems the check is done on UID (tested on OpenSSH_6.7p1 Debian-5+deb8u3, OpenSSL 1.0.1t 3 May 2016):
Set PermitRootLogin off:
mtak@pdv1:~$ grep PermitRootLogin /etc/ssh/sshd_config
PermitRootLogin no
Make sure a user named admin is created with UID 0:
mtak@pdv1:~$ sudo grep admin /etc/passwd
admin:x:0:0:Root User:/root:/bin/bash
Make sure the user can be used to log on to the system:
mtak@pdv1:~$ su - admin
Password:
root@pdv1:~#
Check if we can log on to the system using SSH:
mtak@rubiks:~$ ssh admin@pdv1
admin@pdv1's password:
Permission denied, please try again.
If we turn PermitRootLogin on:
mtak@pdv1:~$ grep PermitRootLogin /etc/ssh/sshd_config
PermitRootLogin yes
And try to log on:
mtak@rubiks:~$ ssh admin@pdv1
admin@pdv1's password:
Linux pdv1 4.4.8-1-pve #1 SMP Tue May 17 16:14:08 CEST 2016 x86_64
Last login: Wed Aug 24 12:05:28 2016 from xxx
root@pdv1:~#
mtak
Posted 2016-08-24T12:00:45.553
Reputation: 11 805
19
I appreciate the approach of @mtak in the other answer, but the answer is obvious even without this trials.
It is based on the UID, as you can see in the source code of openssh:
if (authctxt->pw->pw_uid == 0 &&
!auth_root_allowed(auth_method))
authenticated = 0;
Also every authentication method shows something like
if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
ok = 0;
grep-ing further in the code, you may notice, there is no strcmp('root', pw->pw_name) or some alternative, if it will be enough for you.
Jakuje
Posted 2016-08-24T12:00:45.553
Reputation: 7 981
How do you know sshd checks for UID 0? You're not using any argumentation to support your statement. – mtak – 2016-08-24T14:19:26.347
2
Unix defines a superuser by its UID=0. As another example can be a source code of openssh.
The kernel does, but you were assuming OpenSSH did as well. For example, Apache basic authentication doesn't allow root login as well, does it? Thank you for the link, I've modified your answer to include that. – mtak – 2016-08-24T14:27:10.207
1If it would do it some other way, it would be a potential security risk. – Jakuje – 2016-08-24T14:28:42.620
Well... this doesn't prove anything. Is pw_uid the actual UID of the user? If you want to show a complete answer that the implementation actually does the check you also have to provide the code that creates that authctxt and show it actually contains the information we think and not something else... – Bakuriu – 2016-08-24T15:37:57.530
3
@Bakuriu and why it would create the pw context from something else. The openssh code is open source and interested readers can go through the whole code. Similar constructions are all over the code for every authentication method. If you grep through the code, you will never find strcmp('root', pw->pw_name), if it will make it more reliable for you.
@Jakuje It'd only be a security risk if the attacker has the means to create a second uid=0 account. The reason for implementing it this way, I assume, is because it's actually not uncommon for some systems to have a second uid=0 account "toor" built-in (AIUI for the purpose of having a different login shell) – Random832 – 2016-08-24T15:48:48.253
@Random832 I don't think it would have to be an attacker. It is enough to have unknowing user/sysadmin that would create a new user with uid=0, sets blindly PermitRootLogin no and feels safe, which would not be a true if it would be the other way round. – Jakuje – 2016-08-24T15:59:37.260
When I was a sysadmin, many many years ago, I was part of a team of three, and we had three root accounts on each machine we managed, so that each of us could have his/her own administrative password that only he/she knew. This made extra work when configuring new machines, but it proved completely worth it the day one of my cow-orkers was fired. – zwol – 2016-08-25T14:20:36.630
@zwol That might worked for you, but having root account didn't keep any track or audit of what anyone of you did and therefore removing account didn't have to prevent him from accessing the machines again. Having multiple users on multiple machines should have been solved using some Identity Management software (LDAP) and keeping track what is going on the systems would be nice to have at least using sudo and centralized logging (though quite off-topic now in this question). – Jakuje – 2016-08-25T16:30:22.927
Interesting that even though UID 0 has the username admin, it still shows up as
root@pdv1in the shell – Dezza – 2016-08-25T10:13:56.0401@Dezza Possibly depends on the order lines are listed in /etc/passwd (as in: find the first entry with UID=0). – TripeHound – 2016-08-25T12:00:25.177