Root login is allowed on local networks

Hi everyone,

rkhunter warns me about root login through SSH:

Warning: The SSH and rkhunter configuration options should be the same:
         SSH configuration option 'PermitRootLogin': yes
         Rkhunter configuration option 'ALLOW_SSH_ROOT_USER': no

There are two settings for PermitRootLogin in sshd_config:

$ grep PermitRootLogin /etc/ssh/sshd_config
PermitRootLogin no
# If the server is a VPS, it's expected that the owner of the
# server has access to a web console through which to log in.
Match Address,,,,fe80::/10,fd00::/8
    PermitRootLogin yes

The idea is that private networks are safe(r). In general, this is questionable, and it is clearly not the case when SSH is behind a port forwarding, since the SSH port listening on a private IP address is still accessible publicly.

From my perspective, the default should be no for private networks as well, shouldn’t it?

Hi, standard port forwarding should not circumvent the “Match Address” block. We found this middle ground for easy self-hosting, with the combination of a strong password and Fail2ban, users should be relatively safe.

If you personally want to be safer:

  1. There is a broad range of security parameters in your webadmin (domain.tld/yunohost/admin/#/tools/settings/security), from password strength, changing SSH port, to disabling password login (provided you create a SSH key for your user)
  2. If you still want to disable the “Match Address” block allowing root login for local addresses, check out hooks on the forum. They are scripts that enable you to automatically alter the default configurations.

In any case, we do not plan to change this default behavior.

1 Like

Thanks for the quick reply. With port forwarding, I meant from a different host. For instance, on a typical home network, the router has the public IP (v4) and is configured to forward the connections to the computer hosting the SSH server on an internal server.
In this case, the root login over SSH is possible from anywhere.

No, that’s not how it works. The source IP is still an external IP. Check it yourself …

1 Like

Ah OK, you mean the matching is on the address of the peer, not the local one. Then you are right. Thanks!