Unable to prevent root account in ssh

Had setup ssh in openSUSE 11.2 and modified the configuration file /etc/ssh/sshd_config to PermitRootLogin no

However, I am still able to login through ssh as a normal user and then do a su to switch to a superuser/root.

Isn’t PermitRootLogin no supposed to prevent this?

How can I prevent root in ssh?

No, why should it?
It forbids/permits login as root, so it exactly does, what the name says.

Forget your root password?

michalng wrote:
> However, I am still able to login through ssh as a normal user and then
> do a su to switch to a superuser/root.

yep, which is another good reason to have a root password that looks
more like k2_QE=sz0Ho than rootsecret


DenverD (Linux Counter 282315)
CAVEAT: http://is.gd/bpoMD
posted via NNTP w/TBird 2.0.0.23 | KDE 3.5.7 | openSUSE 10.3
2.6.22.19-0.4-default SMP i686
AMD Athlon 1 GB RAM | GeForce FX 5500 | ASRock K8Upgrade-760GX |
CMedia 9761 AC’97 Audio

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Or give the root user NO password so using ‘su’ fails altogether (an
account with no password cannot be su’d to). The purpose of the
PermitRootLogin feature in SSH is to prevent somebody from coming into
your server as root without you knowing who they really are. It’s the
difference between having an account on a machine and having an identity.
If I SSH in from some random DHCP-assigned box as root you have no idea
who I am. If I SSH in as me and then su to root then you know that the
person who did “evil things” was me based on the audit trail left behind
by su and then you can send Guido after me to break my legs.

Good luck.

On 05/02/2010 02:56 AM, Akoellh wrote:
>
> michalng;2160057 Wrote:
>> Had setup ssh in openSUSE 11.2 and modified the configuration file
>> /etc/ssh/sshd_config to PermitRootLogin no
>>
>> However, I am still able to login through ssh as a normal user and then
>> do a su to switch to a superuser/root.
>>
>>
>> Isn’t PermitRootLogin no supposed to prevent this?
>
> No, why should it?
> It forbids/permits login as root, so it exactly does, what the name
> says.
>
> michalng;2160057 Wrote:
>>
>> How can I prevent root in ssh?
>
> Forget your root password?
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJL3YzlAAoJEF+XTK08PnB5AmkQALS0ISiatLfeHCo6q2ctSQmn
SjZOS1aPjsAOVYPFS/zh5gX2mXmtADWWDx5mWqjN6fn684uxx+kXg6+inlqp+gVP
ioAYXfvDu3Ts7/OptYQMFlBcOuGjpjpkE9WBzebzeKoP7/hvSNEJ65zehoYMYfyp
v5w7E66TsTsy6OKfChIKh1orKHa8L5uspB7mavXZLnS7RhxC9hb52uNWYNjNNOau
q1R8jboET/0k23KmAqE5wPF8WSX7nrwagydf9Jkz36N19uMCfzN8XWqsAvVVVN+b
v4nC6SJRf786awKG1Dv0A93NJYMlcCv2Q8I+Jt2W6JT1TrfpUKsFjABJi7GhMTyW
cyRrE0h0NKglDE4ZRMNSLygraD5chsTnWh0VSlgjvHG7BfMQ13AbrSBsIX9KirGz
rMNgE+nA14sBlJS6MujvwYHrq7qSo6r552Tn/eiF9SmXqDQt1x9XxIita/1zRMdh
ApwKytZddIdQ+xepUz+RdQrbLpLtCxPgnK54hHv+7MoAKhX26GpWQ8en9A8agrhT
bOwEFvWRWpb8kC3P+JjWo0hQLkKNzAo7pRbetkrYWWXUnCWVOLNPmo5Df57xNNTE
mRzxqdeQXUBCYn9HCo0+8leetxArqoHa6Kv+VGxo2NeyG8mgQLWPdrBhoQi6a7Dd
SP6uJ3SfH5oIpQlOVGk5
=uDm2
-----END PGP SIGNATURE-----

Yup, got that, thanks.