Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Bugs
[Bug 1216] Warn via Logwatch when sshd PermitRootLogin is in effect
bugzilla-daemon at mindrot
Aug 9, 2006, 9:48 AM
Post #1 of 5 (912 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=1216

Summary: Warn via Logwatch when sshd PermitRootLogin is in effect
Product: Portable OpenSSH
Version: 4.3p2
Platform: ix86
OS/Version: Linux
Status: NEW
Severity: enhancement
Priority: P2
Component: sshd
AssignedTo: bitbucket@mindrot.org
ReportedBy: russell.don@gmail.com


I originally entered this as a Linux Fedora Core 5 bug/rfe:
Ref. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=201794
I was referred "upstream", and here I am. :-)

For various reasons, allowing root acess by default is desirable.
That's fine.... I'm not asking to change the default.

It would be beneficial to bring that little gem to sysadmins' attention
by producing a periodic (daily) warning via the Logwatch report.

I would like to see something in my Logwatch report (SSHD section)
like:
Warning: root access is allowed via ssh. Ref /etc/ssh/sshd_config

Perhaps a new option in /etc/ssh/sshd_config:
PermitRootLoginWarn yes

Or, as the Fedora people suggested, perhaps a new value for the
PermitRootLogin option:
yes - allow access (default)
no - deny access
warn - implies "allow access", issue periodic (daily) warning via
logwatch mechanism.

Personally, I prefer a new option keyword, I think it is more clear.

Both options should be anabled by default, the syadmin can then make an
informed decision:

1 - turn off the warning (yes, I know, I want that)
2 - deny root logon (say what?! Thanks for telling me, I'll stop that
right now)
3 - I like seeing the warning everyday :-)

Thanks :-)




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
http://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1216] Warn via Logwatch when sshd PermitRootLogin is in effect [ In reply to ]
bugzilla-daemon at mindrot
Aug 9, 2006, 2:28 PM
Post #2 of 5 (891 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=1216





------- Comment #1 from dtucker@zip.com.au 2006-08-10 07:28 -------
I don't see any point to this. If you want something like this just
add a cron job:

egrep -i '^permitrootlogin.*no' /etc/ssh/sshd_config || logger root
login allowed via ssh




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
http://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1216] Warn via Logwatch when sshd PermitRootLogin is in effect [ In reply to ]
bugzilla-daemon at mindrot
Aug 9, 2006, 2:47 PM
Post #3 of 5 (888 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=1216





------- Comment #2 from russell.don@gmail.com 2006-08-10 07:47 -------
(In reply to comment #1)
> I don't see any point to this.

The point is that after an initial install, root login is permitted via
a remote connection. (granted, authentication is still required, I'm
not suggesting that un-authenticated access is allowed.)

If people knew enough to add the suggested cron job, then they also
know enough to ensure the PermitRootLogin option is correct for their
own environment and therefore do not need the cron jb.

If sshd scheduled such a cron job when starting and seeing both
"PermitRootLogin yes" and "PermitRootLoginwarn yes" options set, there
would be no "surprises".

Thanks for your consideration.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
http://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1216] Warn via Logwatch when sshd PermitRootLogin is in effect [ In reply to ]
bugzilla-daemon at mindrot
Aug 9, 2006, 2:57 PM
Post #4 of 5 (892 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=1216


dtucker@zip.com.au changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WONTFIX




------- Comment #3 from dtucker@zip.com.au 2006-08-10 07:57 -------
Even in your proposal you had the default as "yes" (ie no warning), so
the admin would still have to explicitly enable it. If you want to
enable something, enable a cron job.

So, no, I don't think we'll be implementing this.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
http://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 1216] Warn via Logwatch when sshd PermitRootLogin is in effect [ In reply to ]
bugzilla-daemon at mindrot
Aug 9, 2006, 3:07 PM
Post #5 of 5 (904 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=1216





------- Comment #4 from russell.don@gmail.com 2006-08-10 08:07 -------
Yes, my example showed the PermitRootLogin yes (default)

That should have read (current default)
and then the warn setting became the new defalt option, if you opted to
add a new value to the PermitRootLogin option.

Anyway... WONTFIX....

Thant's fine, all I can do is make the suggestion. It doesn't affect me
(anymore),I just thought it would be little effort, and help new users.

Thanks for the speedy replies.

Regards.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
http://lists.mindrot.org/mailman/listinfo/openssh-bugs

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal