Date: Thu, 8 Nov 2001 10:18:07 -0500 From: Kutulu <kutulu@kutulu.org> To: Anthony Atkielski <anthony@atkielski.com> Cc: Giorgos Keramidas <charon@labs.gr>, freebsd-questions@FreeBSD.ORG Subject: Re: Re[2]: Tiny starter configuration for FreeBSD Message-ID: <20011108101807.A10218@pr0n.kutulu.org> In-Reply-To: <002501c1682b$a542b7a0$0a00000a@atkielski.com>; from anthony@atkielski.com on Thu, Nov 08, 2001 at 09:01:54AM %2B0100 References: <15330.6606.417524.41024@guru.mired.org> <002b01c1635f$5a5f4300$0a00000a@atkielski.com> <20011108022328.F79276@hades.hell.gr> <002501c1682b$a542b7a0$0a00000a@atkielski.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 08, 2001 at 09:01:54AM +0100, Anthony Atkielski wrote: > Currently I have telnetd turned off, and only sshd is running. I also have all > incoming telnet and ssh traffic blocked at the router, and I only log in from my > tiny LAN. So I should be safe logging in directly as root, although I might > reconsider if I ever need to log into the system from a remote location. If you only allow your root logins via a DSA public key (in sshd_config, set PermitRootLogins = without-password), there's a very good argument that you will be just as secure logging is as root, as you would be logging in as a user and using 'su'. That is, if a malicious person is able to crack your DSA keys and pretend to be you, he/she can probably also locate the root password in the encrypted stream immediately following 'su', and decrypt it. > ----- Original Message ----- > From: "Giorgos Keramidas" <charon@labs.gr> > To: "Anthony Atkielski" <anthony@atkielski.com> > Cc: <freebsd-questions@FreeBSD.ORG> > Sent: Thursday, November 08, 2001 01:23 > Subject: Re: Re[2]: Tiny starter configuration for FreeBSD > > > > > For example, one change I made to my system was to allow root logins > > > from remote terminals. I'd prefer to limit remote logins to root to > > > my other machine, which is on the LAN, but I'm not aware of an > > > option to force that, so I had to open root logins to the world. Again... set up root to permit logins only through SSH, only with a DSA key. Then, in /root/.ssh/authorized_keys2, you can limit specific keys to only being valid coming from certain hosts: from="pattern-list" Specifies that in addition to RSA authentication, the canonical name of the remote host must be present in the comma-separated list of patterns (`*' and `?' serve as wildcards). (DSA keys and RSA keys are stored in the same file format, so the same options apply to both.) --K To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011108101807.A10218>