Thursday, April 30, 2015

Root Login Disabled per Default in Debian Jessie

If you, like me, were waiting for a long time the release of Debian Jessie 8.0 and after a fresh install of the system you could not login to the Box with root; well... Don't Panic and grab your towel! ;)

Here are some news for you:

https://www.debian.org/releases/jessie/amd64/release-notes/ch-information.en.html#openssh
OpenSSH server defaults to "PermitRootLogin without-password" 
In an attempt to harden the default setup, the openssh-server configuration will now default to "PermitRootLogin without-password". If you rely on password authentication for the root user, you may be affected by this change.
The openssh-server will attempt to detect such cases and increase the priority of its debconf prompt.   

Here is a trick:

During the installation, Debian asked you to add another user with privileges, right? In my case, I created the user "yoda".

So, what we are going to do now, is to login to the Server with this user:

ximena@xdev:~$ ssh test02.ximunix.org -l yoda -p 22
yoda@test02.ximunix.de's password: 

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Apr 30 11:14:11 2015 from xdev.ipandmore.de
yoda@test02:~$ 

Now we will "su" into the root account:

yoda@test02:~$ su root
Passwort: 
root@test02:/home/yoda# 

Edit the sshd_config file:

root@test02:~# vi /etc/ssh/sshd_config 

And change this line:
PermitRootLogin without-password
For this line:
PermitRootLogin yes

Now, restart ssh:
root@test02:~# /etc/init.d/ssh restart

And you are ready to go. 

Please, after you login to your Server with root, change or install whatever you need, and in the end, please change the sshd_config to "PermitRootLogin no" in order to avoid any major security risks. It's never good to have "PermitRootLogin" set to "yes".

Hope it helps. :)