1216 – Warn via Logwatch when sshd PermitRootLogin is in effect

Bug 1216 - Warn via Logwatch when sshd PermitRootLogin is in effect

Summary: Warn via Logwatch when sshd PermitRootLogin is in effect

Status:	CLOSED WONTFIX

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	4.3p2
Hardware:	ix86 Linux

Importance:	P2 enhancement
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2006-08-10 02:48 AEST by Don Russell
Modified:	2006-10-07 11:45 AEST (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Don Russell 2006-08-10 02:48:08 AEST

I originally entered this as a Linux Fedora Core 5 bug/rfe:
Ref. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=201794
I was referred "upstream", and here I am. :-)

For various reasons, allowing root acess by default is desirable. That's fine.... I'm not asking to change the default. 

It would be beneficial to bring that little gem to sysadmins' attention by producing a periodic (daily) warning via the Logwatch report.

I would like to see something in my Logwatch report (SSHD section) like:
Warning: root access is allowed via ssh. Ref /etc/ssh/sshd_config

Perhaps a new option in /etc/ssh/sshd_config:
PermitRootLoginWarn yes

Or, as the Fedora people suggested, perhaps a new value for the PermitRootLogin option:
   yes - allow access (default)
   no  - deny access
   warn - implies "allow access", issue periodic (daily) warning via logwatch mechanism.

Personally, I prefer a new option keyword, I think it is more clear.

Both options should be anabled by default, the syadmin can then make an informed decision:

1 - turn off the warning (yes, I know, I want that)
2 - deny root logon (say what?! Thanks for telling me, I'll stop that right now)
3 - I like seeing the warning everyday :-)

Thanks :-)

Comment 1 Darren Tucker 2006-08-10 07:28:40 AEST

I don't see any point to this.  If you want something like this just add a cron job:

egrep -i '^permitrootlogin.*no' /etc/ssh/sshd_config || logger root login allowed via ssh

Comment 2 Don Russell 2006-08-10 07:47:47 AEST

(In reply to comment #1)
> I don't see any point to this.

The point is that after an initial install, root login is permitted via a remote connection. (granted, authentication is still required, I'm not suggesting that un-authenticated access is allowed.)

If people knew enough to add the suggested cron job, then they also know enough to ensure the PermitRootLogin option is correct for their own environment and therefore do not need the cron jb.

If sshd scheduled such a cron job when starting and seeing both "PermitRootLogin yes" and "PermitRootLoginwarn yes" options set, there would be no "surprises".

Thanks for your consideration.

Comment 3 Darren Tucker 2006-08-10 07:57:46 AEST

Even in your proposal you had the default as "yes" (ie no warning), so the admin would still have to explicitly enable it.  If you want to enable something, enable a cron job.

So, no, I don't think we'll be implementing this.

Comment 4 Don Russell 2006-08-10 08:07:20 AEST

Yes, my example showed the PermitRootLogin yes (default)

That should have read (current default)
and then the warn setting became the new defalt option, if you opted to add a new value to the PermitRootLogin option.

Anyway... WONTFIX....

Thant's fine, all I can do is make the suggestion. It doesn't affect me (anymore),I just thought it would be little effort, and help new users.

Thanks for the speedy replies.

Regards.

Comment 5 Darren Tucker 2006-10-07 11:45:43 AEST

Change all RESOLVED bug to CLOSED with the exception of the ones fixed post-4.4.