incorrectly warns about ssh settings

IMO this behavior is not a bug. rkhunter correctly warns about ssh root login risk, it shouldn't matter what security policy distribution enforces.

I'd consider it a bug instead if rkhunter wouldn't warn when PermitRootLogin is enabled.

Hi! Can you check if still an issue for you with version 1.3.0-1 in Ubuntu Gutsy ?

Thanks!

As he said, this is NOT a bug - SSH root login is a real security vulnerability. IMHO, and the opinion of countless security experts, it SHOULD be off by default. Brute forcing the root login is a very common practice - I've seen it myself.

...and brute forcing has become a more acute problem in light of the recent OpenSSL vulnerability. Exploitation of weak SSH keys is made much easier if the attacker knows a valid username on the target system; by permitting root login, you are making an attacker's job much easier.

(Though <email address hidden> seems to argue in favour of permitting root login, he fails to make an argument - at least in README.Debian.gz - as to why it is a good idea. I hope the recent SSL key brute force proof-of-concepts serve to change his mind.)

In most cases the same can be achieved through the use of a non-root user account and sudo - so IMHO rkhunter is right to warn about this, irrespective of Debian/Ubuntu defaults.

On reflection, I think it's worth noting...

Although by default the root account on Ubuntu has no password set - so mitigating the risk of brute-forcing password logins - it is still possible to login as root given "PermitRootLogin yes" and a valid private key.

Perhaps rkhunter should warn iff PermitRootLogin yes && (root has a password set || root has an authorized keys file).

Thank you for taking the time to report this. As far as anybody is aware, root login via ssh will not be enabled to default in Ubuntu. I believe that information about enabling the root account is not made available through official means. I am marking this bug as Won't Fix.