Home / server / Questions / 216174
Accepted
Maxim Veksler
Asked: 2010-12-27 00:44:51 +0800 CST

How Ubuntu cloud version enforces the "no root login" over ssh?

  • 772

I'm looking to tweak ubuntu cloud version default setup where is denies root login.

Attempting to connect to such machine yields:

maxim@maxim-desktop:~/workspace/integration/deployengine$ ssh [email protected]
The authenticity of host 'ec2-204-236-252-95.compute-1.amazonaws.com (204.236.252.95)' can't be established.
RSA key fingerprint is 3f:96:f4:b3:b9:4b:4f:21:5f:00:38:2a:bb:41:19:1a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ec2-204-236-252-95.compute-1.amazonaws.com' (RSA) to the list of known hosts.
Please login as the ubuntu user rather than root user.

Connection to ec2-204-236-252-95.compute-1.amazonaws.com closed.

I would like to know in what configuration file the root blocking via ssh is configured and how I can change the printed message?

ubuntu security ssh root cloud

4 Answers

  1. Best Answer

    Old question, but no one really answered you and I have had the same question: Where does this configuration come from?

    It originates from cloudinit, precisely in cc_ssh.py within /usr/lib/python2.7/dist-packages/cloudinit/config

    This in turn is directly dependant on the file /etc/cloud/cloud.cfg. The you find a line disable_root: true.

    You should be able to override it by adjusting your user-data and add line disable_root: false. Your cloud-provider should make the user-data configurable.

    • 14

  2. Assuming your sshd configuration has PermitRootLogin yes.

    sudo grep "login as the ubuntu user" /root/.??*

    However the link Mike Scott provided is one I strongly recommend you read thoroughly and take heed of.

    ROOT SSH

    Finally, if you wish to circumvent the Ubuntu security standard and revert to the old practice of allowing ssh and rsync as root, this command will open it up for a new instance of the official Ubuntu images:

    ssh -i KEYPAIR.pem ubuntu@HOSTNAME 'sudo cp /home/ubuntu/.ssh/authorized_keys /root/.ssh/' This is not recommended, but it may be a way to get existing EC2 automation code to continue working until you can upgrade to the sudo practices described above.

    I keep root SSH logins disabled because any public facing server with SSH enabled will be battered continuously day and night by root login attempts from criminal botnets.

    Elsewhere the documentations warns

    Enabling the Root account is rarely necessary. Almost everything you need to do as administrator of an Ubuntu system can be done via sudo or gksudo. If you really need a persistent Root login, the best alternative is to simulate a Root login shell using the following command...

    sudo -i

    • 5

  3. The answer is here: http://alestic.com/2009/04/ubuntu-ec2-sudo-ssh-rsync

    Copy the authorized_keys file from the ubuntu account to the root account. Password login is disabled, so you have to have a valid ssh key to log in to any account.

    • 3

  4. Check /etc/ssh/sshd_config, option is called "Permit root login"

     PermitRootLogin
         Specifies whether root can log in using ssh(1).  The argument
         must be “yes”, “without-password”, “forced-commands-only”, or
         “no”.

    One of more useful setting is "without -password" which let's u login on root but only if you use public key authentication. man sshd_config for more info:)

    • 0