|Summary:||ASTERISK-08227: No root password (security problem)|
|Reporter:||Andrew Payne (payne92)||Labels:|
|Date Opened:||2006-11-30 15:47:27.000-0600||Date Closed:||2006-12-04 14:30:55.000-0600|
|Description:||[entered for tracking]|
The default system configuration has no root password.
This is a security problem, as anyone with physical access to the box can log into the system with root (no password needed) and have complete system access.
(One option is to set the root password to the 'admin' password chosen by the user at installation time. If that's done, then the documentation needs to be updated so the user understands that that password is used for both 'admin' and 'root' logins).
|Comments:||By: Matthew Nicholson (mnicholson) 2006-11-30 16:09:39.000-0600|
I think there is a way to disable root login. Are we not already doing this? This is how ubuntu does it, which makes it impossible to login as the root user.
By: Brandon Kruse (bkruse) 2006-11-30 19:23:00.000-0600
Mnicholson is right, we are doing an ubuntu style login, from what I understand.
To where you CANNOT directly login as root and have permissions
to do anything you want.(protection reasons)
Along with this, (if it is in fact like ubuntu)
you can sudo su - to root (with your password, if you are
in the sudo file) and then change the password for root by administering
the command: passwd (not recommended, your defeating the purpose)
Of course we do this to keep you guys safe, and not
allow root access from the login screen.
By: Dorian Gray (dorian) 2006-12-02 09:37:28.000-0600
also: by default, sshd allows root login (but does disallow empty passwords)
you may consider changing /etc/ssh/sshd_config to have:
I definitely saw language in the install gui advising use of sudo to perform root operations; but probably many people are not reading those sidebar blurb texts while the installer is running.
what about some additional language on the text menu? (that update/reboot/etc. console that shows by default when *NOW runs, I don't know what to call that thing...)
By: Brandon Kruse (bkruse) 2006-12-02 17:18:59.000-0600
Doria, You are partially right.
This is a great way to be more secure, however, no one
will ever be able to login to root, because root is enabled
via ssh, but there is NO password, its absolutly impossible
You have to remember that because you can sudo to root
and use YOUR user account password, does NOT mean you
can use that password for direct login via ssh.
Not meaning to be a pain, just making sure its 100% clear.
Disabling root from ssh could definitly be a good option.
Thanks for the suggestion :]
By: James Lyons (james) 2006-12-04 14:30:54.000-0600
Preventing root from logging into the system from terminal and ssh.
Will be in beta2