Why is root password disabled in SSH when the sudo user can do everything anyway?

by Laurence Cope   Last Updated September 13, 2017 14:01 PM

I've started to use a Raspberry Pi in which the root user is not allowed to SSH in. The default user, pi, you are.

Unfortunately some scripts I use on a Centos machine for which I use root for was causing issues using the pi user.

I took the easy way and enabled root user.

But I am confused why it's disabled in the first place. Using sudo I could do everything root could anyway couldn't I? That's what it seemed.

But more importantly using sudo as pi I could enable root access anyway. So anyone using the pi user could do that.

So what's the point in disabling root password when I can use sudo or just easily enable it anyway?

Tags : ssh

Answers 1

I can see several reasons:

  • It is first higly discouraged to use root user (reasons explained here) and you shoud always prefer use sudo. In fact sudo follow the security principle i n which each user/application should only have the minimal required rights. If you use root account, all application will gain root rights, that are not required for all.

  • ssh authorized users may not also be sudoers

  • It's also recommended (as a best practice) to forbid password login and to allow passwordless authentication mechanisms such as ssh keys. In that case, even if an attacker can log in, he still has to guess the user password to execute sudo command.

September 13, 2017 13:32 PM

Related Questions