Bug 1216

Summary: Warn via Logwatch when sshd PermitRootLogin is in effect
Product: Portable OpenSSH Reporter: Don Russell <russell.don>
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WONTFIX    
Severity: enhancement    
Priority: P2    
Version: 4.3p2   
Hardware: ix86   
OS: Linux   

Description Don Russell 2006-08-10 02:48:08 AEST 
I originally entered this as a Linux Fedora Core 5 bug/rfe:
Ref. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=201794
I was referred "upstream", and here I am. :-)

For various reasons, allowing root acess by default is desirable. That's fine.... I'm not asking to change the default. 

It would be beneficial to bring that little gem to sysadmins' attention by producing a periodic (daily) warning via the Logwatch report.

I would like to see something in my Logwatch report (SSHD section) like:
Warning: root access is allowed via ssh. Ref /etc/ssh/sshd_config

Perhaps a new option in /etc/ssh/sshd_config:
PermitRootLoginWarn yes

Or, as the Fedora people suggested, perhaps a new value for the PermitRootLogin option:
   yes - allow access (default)
   no  - deny access
   warn - implies "allow access", issue periodic (daily) warning via logwatch mechanism.

Personally, I prefer a new option keyword, I think it is more clear.

Both options should be anabled by default, the syadmin can then make an informed decision:

1 - turn off the warning (yes, I know, I want that)
2 - deny root logon (say what?! Thanks for telling me, I'll stop that right now)
3 - I like seeing the warning everyday :-)

Thanks :-)
Comment 1 Darren Tucker 2006-08-10 07:28:40 AEST 
I don't see any point to this.  If you want something like this just add a cron job:

egrep -i '^permitrootlogin.*no' /etc/ssh/sshd_config || logger root login allowed via ssh
Comment 2 Don Russell 2006-08-10 07:47:47 AEST 
(In reply to comment #1)
> I don't see any point to this.

The point is that after an initial install, root login is permitted via a remote connection. (granted, authentication is still required, I'm not suggesting that un-authenticated access is allowed.)

If people knew enough to add the suggested cron job, then they also know enough to ensure the PermitRootLogin option is correct for their own environment and therefore do not need the cron jb.

If sshd scheduled such a cron job when starting and seeing both "PermitRootLogin yes" and "PermitRootLoginwarn yes" options set, there would be no "surprises".

Thanks for your consideration.
Comment 3 Darren Tucker 2006-08-10 07:57:46 AEST 
Even in your proposal you had the default as "yes" (ie no warning), so the admin would still have to explicitly enable it.  If you want to enable something, enable a cron job.

So, no, I don't think we'll be implementing this.
Comment 4 Don Russell 2006-08-10 08:07:20 AEST 
Yes, my example showed the PermitRootLogin yes (default)

That should have read (current default)
and then the warn setting became the new defalt option, if you opted to add a new value to the PermitRootLogin option.

Anyway... WONTFIX....

Thant's fine, all I can do is make the suggestion. It doesn't affect me (anymore),I just thought it would be little effort, and help new users.

Thanks for the speedy replies.

Regards.
Comment 5 Darren Tucker 2006-10-07 11:45:43 AEST 
Change all RESOLVED bug to CLOSED with the exception of the ones fixed post-4.4.