138

I just installed Ubuntu 14.04 on my server and I was setting up all my config files when I came across this in my sshd_config file:

# Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes

This made me very worried. I thought that it was possible that someone could be logging into my server as root without a password.

I tried connecting to my server as root via:

johns-mbp:~ john$ ssh root@192.168.1.48
The authenticity of host '192.168.1.48 (192.168.1.48)' can't be established.
RSA key fingerprint is 40:7e:28:f1:a8:36:28:da:eb:6f:d2:d0:3f:4b:4b:fe.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.48' (RSA) to the list of known hosts.
root@192.168.1.48's password:

I entered a blank password and it didn't let me in, which was a relief. So my question is: what does without password mean and why is this a default in Ubuntu 14.04?

John
  • 1,756
  • 3
  • 14
  • 17

4 Answers4

169

From the man page:

PermitRootLogin

Specifies whether root can log in using ssh(1). The argument must be “yes”, “without-password”, “forced-commands-only”, or "no”. The default is “yes”.

If this option is set to prohibit-password (or its deprecated alias, without-password), password and keyboard-interactive authentication are disabled for root.

If this option is set to “forced-commands-only”, root login with public key authentication will be allowed, but only if the command option has been specified (which may be useful for taking remote backups even if root login is normally not allowed). All other authentication methods are disabled for root.

If this option is set to “no”, root is not allowed to log in.

Thus, prohibit-password allows root login only with public key authentication. This is often used with shell scripts and automated tasks.

Pablo Bianchi
  • 15,657
Florian Diesch
  • 87,389
  • 2
    Not permitting 'Root login' using password is considered stronger security than allowing it. That said, you should not be logging into root* at all, unless no other method (sudo, etc.) will work.* – david6 Apr 19 '14 at 21:46
  • 5
    As you can see however, while the man page indicates the default is "yes", Ubuntu has made the default "without-password". – ferrouswheel Jun 09 '14 at 21:37
  • 41
    So without-password means all methods allowed except password? It really sounds like "allowed to login without the need of a password". – Gauthier Sep 12 '14 at 09:09
  • 1
    "All root access should be facilitated through a local logon with a unique and identifiable user ID and then via the su command once locally authenticated. Direct root login is extremely insecure and offers little in the way of audit trailing for accountability." - CIS IBM AIX Guide – Dominik Antal Sep 30 '14 at 15:15
  • This PermitRootLogin without-password in sshd_config comes also in personal editions single user debian systems which associate that might be some not publicly known BACKDOOR! Best will be setting PermitRootLogin no, and implementing some others protective measures – josifoski Apr 03 '16 at 10:48
  • 34
    PermitRootLogin now accepts an argument of 'prohibit-password' as a less-ambiguous synonym of 'without-password'. – endolith Sep 16 '16 at 00:57
  • So does prohibit-password prevent a ssh key that has a password from working? – DanCat Apr 02 '17 at 00:44
  • I know this is an old post, but without-password disables PAM password challenge response "If this option is set to ''without-password'', password authentication is disabled for root." https://linux.die.net/man/5/sshd_config . Other methods are allowed including keys and kerberos (host based authentication) – Panther Jul 14 '17 at 00:19
  • 1
    @DanCat no, prohibit-password and without-password don't affect SSH Key Authentication at all - SSH Key passwords are handled client side not over the connection to the server. You can't login to the server with just passwords, is all. – Thomas Ward Mar 22 '18 at 23:16
  • without-password is now deprecated in favour of prohibit-password, starting at least in Ubuntu 20_04. – Timo Jun 07 '21 at 18:23
18

Actually this setting does pretty much nothing if you are using PAM authentication. At the bottom of the sshd_config configuration file you will find:

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.

The default setting on Ubuntu is to use PAM authentication:

UsePAM yes
Atari911
  • 602
  • 5
  • 6
  • 1
    In my brief experience, even setting this to no won't make PermitRootLogin without-password actually work, somehow! :( – cregox Dec 02 '15 at 02:34
  • 1
    @cregox if you are using a typical desktop system, you need to do ssh-copy-id -i ~/.ssh/id_rsa.pub user@ip and it creates ~/.ssh/authorized_keys take in mind if you can't log in as root you wouldn't create this file in /root/.ssh/ but it works if you copy the file there – Rutrus May 06 '16 at 01:46
6

In newer versions of sshd (OpenSSH 7.0 and above, released on 2015-08-11) "without-password" has been changed to "prohibit-password".

Both version work, probably best to use "prohibit-password" if you can: it explains itself better.

Source:

  • sshd_config(5): PermitRootLogin now accepts an argument of 'prohibit-password' as a less-ambiguous synonym of 'without-password'.
Pablo Bianchi
  • 15,657
teknopaul
  • 2,027
  • 16
  • 18
4

Note that there are legitimate reasons for logging in via root (but using cryptographic keys and never a password). A typical example is remotely syncing two servers (to have one of them being used as fail-over). Because the structure must be identical, often a root password is required.

Here is an example using unison for the synchronisation.

Pablo Bianchi
  • 15,657
Gwyneth Llewelyn
  • 173
  • 2
    Won't logging in with a normal user (using cryptographic keys most likely) and having it belong to the sudo group allow you to do this as well? – dutoitns Mar 31 '16 at 14:19
  • 1
    As far as I've tested it (that was back in 2015!), the answer is 'no' — it really didn't work. That might be a good reason why unison has been out of fashion lately (which is really a pity, since it continues to be developed), – Gwyneth Llewelyn May 31 '20 at 22:20