PermitRootLogin is no, I cannot login but why password is asked from user?

ssh root login

I have disabled PermitRootLogin and I cannot login to server by root, but password is asked from user:

enter image description here

Is this correct? Or there is something here that I'm missing? Why password is asked when it is not permitted?!


Solution 1:

Why password is asked when it is not permitted?!

The one of the rules of security is not to tell attacker if something is enabled/disabled. This is just one example. The other is logging in as non-existing user. It will also ask for password.

Telling attacker "root is disabled" or "the user does not exists" gives him some information, which you would not want to give away. These are side channels that would allow to eliminate one place of attack surface and focus on some others.

If you don't want to ask for password, you would need to disable password authentication completely.

Related

Dual power supplies on the same circuit
Baffled with a simple bond throughput, can't get more than a Gig
Why a pod can't connect to another network? (In the new version of Kubernetes)
Dell PowerEdge T310 won't POST after memory upgrade
Is a MySQL database a viable alternative to LDAP?
Is SMB safer than iSCSI for connection to a NAS?
In what sort of environment do thin-client machines shine?
How to enable Automatic Logon for a computer in Windows Domain?
macports vs fink [closed]
Changing files on the fly in Linux (writing to input file on a pipe)
Console FTPS (not SFTP) client?
Processing large files through bash pipes, does it buffer?