SSH: Deactivate root account and use a "non-root" one?
Hi all, this is my first post, but I follw this very useful forum since I got my readynas, one year ago. I usually like to play with ssh protocol to gain acces to my home readynas Duo from my workplace. But I recently read about ssh security risks (bruteforce etc..) so, I would like to know if there is a way to disable the standard root access and to leave only a "non-root" account active for access. By ths way that I wold like to login and only after that, to escalate privileges if needed.
And... one other question: I'm monitoring all acces from /var/log, but, is there any add-on to do this in a more easy way?
Re: SSH: Deactivate root account and use a "non-root" one?
I would proceed in this way:
1. Open a ssh session with the root account
2. Give user User1 the rights to open an ssh session - edit the file /etc/passwd. - the first row should start with root:... and end with :/bin/bash. Leave as it is for the moment - look at the row starting with an account you have created with frontview (e.g. User1). The row should end with :/bin/false. Replace /false by /bash and save the file. The account user1 has now the permission to open a ssh session.
3. Give user User1 the rights to execute the command "sudo" - adduser user1 sudo (this will make user1 member of the group sudo) - edit the file /etc/sudoers and add the line: %sudo ALL= NOPASSWD : ALL - safe the file. User1 has now the rights to launch the command "sudo" from the ssh session
4. Test the ssh connection opened by User1. - open a new ssh session with User1 and User1 password. You should get the $ prompt.
5. Test sudo - in the session opened by User1 type the command sudo bash - You should get the prompt #. You are now logged as root. That is what you wanted to achieve!
6. Remove root's permission to open an ssh session. - edit the /etc/passwd file and replace /bash by /false at the end of the row starting with root:. Save the file. Root should no longer have the ability to open a ssh session.
That is it ! Make sure to made backup copies of your /etc/passwd and /etc/sudoers files before doing all this. Just in case ...
Re: SSH: Deactivate root account and use a "non-root" one?
This works great! Thanks.
I think it could be better if the User1 needs to insert a password before to get the root shell.. How can I do this? Maybe I suppose I need to edit the %sudo ALL= ..... part in the sudoers file! But, how this must be edited?
Re: SSH: Deactivate root account and use a "non-root" one?
Please look at the man page of sudoers for further details of the syntax.
%sudo ALL = ALL should enable the password authentication
You can also mix authentication and no authenticiation. For instance %sudo ALL = command1, NOPASSWD: command2 will allow you to launch command1 with password authentication and command2 without authentication. No other commands than command1 and command2 will be accepted.
Please be also aware that the use of visudo is preferable to edit the sudoers file. This command will automatically check the syntax before saving the file.
