Linux

53392 readers

618 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago

MODERATORS

AgreeableLandscape@lemmy.ml

nooter692@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz

101

Why disable ssh login with root on a server if I only log in with keys, not password? (sh.itjust.works)

submitted 1 week ago* (last edited 1 week ago) by Sandal6823@sh.itjust.works to c/linux@lemmy.ml

81 comments fedilink hide all child comments

On a server I have a public key auth only for root account. Is there any point of logging in with a different account?

(page 2) 33 comments

sorted by: hot top controversial new old

[–] irotsoma@lemmy.blahaj.zone 2 points 1 week ago

It's rarely a good idea to log in as root, doubly so if it's a system with sensitive data or services that could easily be disrupted accidentally. And even more important if multiple users log in. How will you know who broke things to teach them if they don't log in first. The only time I log in to any system as root other than a test system is when I need to sftp to access files or some other system that doesn't have a way to elevate permissions.

[–] racketlauncher831@lemmy.ml -1 points 1 week ago

Well, with root enabled, the SSH server at least need to verify the key, no? It's wasting CPU power albeit tiny amount.

[–] JubilantJaguar@lemmy.world -5 points 1 week ago (2 children)

Lots of self-important, irrational, hand-wavy responses to this question as usual.

Assuming you are the only user (sounds like it) and you secure your client device properly, then no, there is no reason not to do what you propose. Go ahead and do it, you'll save yourself lots of redundant typing and clicking.

Others here can keep performing their security theater to ward off the evil spirits.

load more comments (2 replies)

[+] ShortN0te@lemmy.ml -16 points 1 week ago (3 children)

Nope, not really. The only reason ppl recommend it is, because "you have then to guess the username too". Which is just not relevant if you use strong authentication method like keys or only strong passwords.

[–] 4am@lemm.ee -1 points 1 week ago* (last edited 1 week ago)

That is absolutely not the reason ANYONE recommends it, unless you are a complete noob and entirely unfamiliar with computer security at all, and are just pulling assumptions out of your ass. Don’t fucking do that, don’t post with confidence when you’re just making shit up because you think you know better. Because you don’t.

If there is a vulnerability in SSH (and it’s happened before), attackers could use that to get into root directly, quickly, and easily. It’s an instant own.

If root login is disabled, it’s way less likely that whatever bug it is ALSO allows them to bypass root login being disabled. Now they have to yeah, find a user account, compromise that, try to key log or session hijack or whatever they set up, be successful, and elevate to root. That’s WAY more work, way more time to detect, to install patches.

If the effort is higher, then this kind of attack isn’t going to be used to own small fry servers; it’s only be worth it for bigger targets, even if they’re more well protected.

If you leave root enabled, you’re already burnt. You’re already a bot in the DDoS network.

And why? You couldn’t be bothered to type one extra command in your terminal? One extra word at the start of each command?

Sorry bitch, eat your fucking vegetables

load more comments (2 replies)

load more comments