Is it really a bad practice to let « PermitRootLogin yes » on a production server?

Fox asked:

One day (4 years ago), I rebooted my server. After the reboot was complete, I tried to login as usual with my regular (non-root) account. At that time, I had PermitRootLogin no.

I got the answer

The system is going down on Sun Aug 16 00:43:48 2009

and couldn’t login. But it was not true, the server was not going to shutdown. It had shut down, but it was already up. Actually, I noticed that for some mysterious reason, the /etc/nologin file, created by shutdown hadn’t be deleted.

When the /etc/nologin file exists, SSH doesn’t allow any user to login, except root.

Since PermitRootLogin was set to « no », I couldn’t login and was forced to hard reboot my server in rescue mode, mount the file system, delete the /etc/nologin file, and reboot.

So, what do you think about letting PermitRootLogin set to « yes », but disable its password (passwd -l root), so that only SSH-key connection is allowed for root?

My answer:

sshd already supports the scenario you want:

PermitRootLogin without-password

This permits root to use any authentication method except password.

For a single-sysadmin scenario this is fine. Though, as has been discussed ad nauseam here and elsewhere, if you have multiple sysadmins, none of them should be logging in as root.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.