How Ubuntu cloud version enforces the "no root login" over ssh?

ssh security root ubuntu cloud

I'm looking to tweak ubuntu cloud version default setup where is denies root login.

Attempting to connect to such machine yields:

maxim@maxim-desktop:~/workspace/integration/deployengine$ ssh [email protected]
The authenticity of host 'ec2-204-236-252-95.compute-1.amazonaws.com (204.236.252.95)' can't be established.
RSA key fingerprint is 3f:96:f4:b3:b9:4b:4f:21:5f:00:38:2a:bb:41:19:1a.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ec2-204-236-252-95.compute-1.amazonaws.com' (RSA) to the list of known hosts.
Please login as the ubuntu user rather than root user.

Connection to ec2-204-236-252-95.compute-1.amazonaws.com closed.

I would like to know in what configuration file the root blocking via ssh is configured and how I can change the printed message?


Old question, but no one really answered you and I have had the same question: Where does this configuration come from?

It originates from cloudinit, precisely in cc_ssh.py within /usr/lib/python2.7/dist-packages/cloudinit/config

This in turn is directly dependant on the file /etc/cloud/cloud.cfg. The you find a line disable_root: true.

You should be able to override it by adjusting your user-data and add line disable_root: false. Your cloud-provider should make the user-data configurable.


Assuming your sshd configuration has PermitRootLogin yes.

sudo grep "login as the ubuntu user" /root/.??*

However the link Mike Scott provided is one I strongly recommend you read thoroughly and take heed of.

ROOT SSH

Finally, if you wish to circumvent the Ubuntu security standard and revert to the old practice of allowing ssh and rsync as root, this command will open it up for a new instance of the official Ubuntu images:

ssh -i KEYPAIR.pem ubuntu@HOSTNAME 'sudo cp /home/ubuntu/.ssh/authorized_keys /root/.ssh/' This is not recommended, but it may be a way to get existing EC2 automation code to continue working until you can upgrade to the sudo practices described above.

I keep root SSH logins disabled because any public facing server with SSH enabled will be battered continuously day and night by root login attempts from criminal botnets.

Elsewhere the documentations warns

Enabling the Root account is rarely necessary. Almost everything you need to do as administrator of an Ubuntu system can be done via sudo or gksudo. If you really need a persistent Root login, the best alternative is to simulate a Root login shell using the following command...

sudo -i

Related

Amazon SES e-mails ending in Yahoo & Hotmail Spam folders, even though SPF and SenderID and DKIM are set correctly
As a new Ubuntu desktop 18.04 LTS user, do I need to use ufw for a firewall or is iptables sufficient? [closed]
Installing a new 4tb hdd not knowing to go for e.g. ext4 or NTFS as a format, some advice please
How to turn a PDF grayscale in Ubuntu?
KWin: Toggle grayscale KDE destop effect with script
ALT+TAB stops working after a while in Ubuntu 21.04
Does extended support for Ubuntu 14.04 mean it now supports PHP 7.4 or above? [closed]
RZ608 MT7921K Wireless LAN Driver is not supported on ubuntu 18.04
Swappiness on WSL2 gets reset to 60
Disable shift-delete for file deletion
Error after fresh install: "You need to load the kernel first"
What application can edit WebM metadata?