ssh root login is not disabled in new standard Debian image

[Nicolas Grilly]

In the new image backports-debian-7-wheezy-v20140807, ssh root login is not disabled, and password authentication is not disabled too.

This is a recent change. In previous images, root login was disabled.

Related lines in /etc/ssh/sshd_config:

PermitRootLogin without-password
#PasswordAuthentication yes

This is in contradiction with what the documentation says here:

For security reasons, the standard Google images do not provide the ability to ssh in directly as root.

(Source: https://developers.google.com/compute/docs/instances#root)

And here:

Because you typically log in to instances via SSH, you should run your images with a secure SSH configuration.
Recommended:
- Disable root ssh login.
- Disable password authentication.

 

(Source: https://developers.google.com/compute/docs/images#sshrecommended)

Is it by design or is it an oversight?

[Sylvain Bergé]

Hi Nicolas,

In the /etc/shadow all accounts have a "*"  it indicates that users will not be able to use a unix/linux password to log in!

However without-password allows root login only with public key authentication.

But root don't have any key in the hide folder .ssh. Except if you force the ssh connection with the gcutil with root (depreciated by Google) no key will be create.

The question still valid, why this change?

--

Sylvain

[Jimmy Kaplowitz]

Hello Nicolas,

All of Google Compute Engine's Debian images require users to change the configuration within the VM before password-based authentication will work. Since no passwords are in place by default, the current 20140807 Debian images are not an exception to this, although the PasswordAuthentication setting in /etc/ssh/sshd_config is different from before. That said, upcoming Debian images will once again disable the PasswordAuthentication setting, matching the relevant SSH configuration of our prior images.

One defense-in-depth security feature worth noting is that PermitRootLogin without-password, visible in those of our images which use OpenSSH packages from backports, forbids password-based SSH authentication to root even if that authentication method is otherwise enabled for other accounts. Earlier this year Debian switched the default value of this setting from yes to without-password for new installs in their next major release (Debian 8), and our Debian 7 backports images include this change.

Thanks for your inquiries, and for using Google Compute Engine.

- Jimmy

--
© 2014 Google Inc. 1600 Amphitheatre Parkway, Mountain View, CA 94043
 
Email preferences: You received this email because you signed up for the Google Compute Engine Discussion Google Group (gce-dis...@googlegroups.com) to participate in discussions with other members of the Google Compute Engine community and the Google Compute Engine Team.
---
You received this message because you are subscribed to the Google Groups "gce-discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gce-discussio...@googlegroups.com.
To post to this group, send email to gce-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gce-discussion/153874b9-5a59-4fc9-b335-0230c876330a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Nicolas Grilly]

Jimmy,

Thanks a lot for your detailed explanation. That's exactly the information I needed. And my apologies for the late reply!