If my server is totally secure, and I run only apache + openssh (latest version)

Is it safe for me to set it so it permitsroot login?

Meaning, I can login with the username root and just be in the box
instead of logging in as a user and then su'ing

Would make my life easier
I don't have to though, just wondering..

I've never understood fully why, but people have always told me: "never log on as root on your box, always use another user and then su"
Can somebody clear this to me?

Anyway, maybe if you decide to permit root logins you have to change the /etc/securetty file that contains valid terminals for root logins

Cheers :)

Why not just stick with suing. I mean is it really that hard to type su and then re-enter your password?

Doesn't your SSH client support login scripts?

the reason i think personally that root is restricted is puely security.

lets say someone wants to brute force hack root on your box, they manage it and they still cant login because it doesnt allow it, therefore they have to get TWO passwords instead of just one to get into the box.

Person Cracks Username
Person then has to login and start cracking root

during this time there is more chance of them being captured.

anyone else see the same resaoning?

Meaning, I can login with the username root and just be in the box ...Would make my life easier

Easier for you, easier for others. Good luck..

Two locks on a door are more secure than just one lock.

I was always under the impression it was safer to login under root and disable su completely on the box. There is more of a chance that someone will crack root who already has access to the box then one outside trying to get in.

Originally posted by Intelligent Hosting
Doesn't your SSH client support login scripts?

it does
But I just wanted to know what was the *real* danger of logging in as just root via ssh, instead of user --> root

Originally posted by JeremyL
I was always under the impression it was safer to login under root and disable su completely on the box. There is more of a chance that someone will crack root who already has access to the box then one outside trying to get in.
I don't know if this applies to all OSes, but in the world of FreeBSD, the username su'ing needs to be in the group allowed to su. If the user isn't in that group, s/he can't su. Therefore, they need to 1) find a username that is in that group, 2) crack that username's password and then 3) crack the root password.

If that still isn't secure enough for you, don't allow root logins and don't allow users on your system. :) Then, hackers only have the external exploits to use (such as the recent SSH one). ;)

Originally posted by clocker1996
But I just wanted to know what was the *real* danger of logging in as just root via ssh, instead of user --> root
Why chance it?

It's good practice to not PermitRootLogins in your sshd_config because, as xtstrike said, then they'd need to find out two passwords, but also because if they su from another user acount, you at least have a trail. You know who gave out their password to an intruder, or who is trying to crack your root password. If you let them log in directly as root, all you know is their IP.

It takes two extra seconds for you to log in with your normal username then su to root, but it makes attackers' jobs hundreds of times harder and riskier.

Originally posted by allera

I don't know if this applies to all OSes, but in the world of FreeBSD, the username su'ing needs to be in the group allowed to su. ...


Ditto for RedHat Linux and OpenBSd, that I know of.

On all of my private servers, I've disabled su'ing to root, and have the ablity to login as root directly, but you must have the password and the SSH key to get in.....

But what if the hacker uploads his own "su" binary and does it from there?