From owner-freebsd-questions@FreeBSD.ORG Sun Aug 3 09:27:05 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 26FF5698 for ; Sun, 3 Aug 2014 09:27:05 +0000 (UTC) Received: from avasout07.plus.net (avasout07.plus.net [84.93.230.235]) by mx1.freebsd.org (Postfix) with ESMTP id B039823E7 for ; Sun, 3 Aug 2014 09:27:03 +0000 (UTC) Received: from curlew.milibyte.co.uk ([84.92.153.232]) by avasout07 with smtp id a9Ps1o006516WCc019PuNg; Sun, 03 Aug 2014 10:23:54 +0100 X-CM-Score: 0.00 X-CNFS-Analysis: v=2.1 cv=ANQ+opto c=1 sm=1 tr=0 a=lfSX4pPLp9EkufIcToJk/A==:117 a=lfSX4pPLp9EkufIcToJk/A==:17 a=D7rCoLxHAAAA:8 a=0Bzu9jTXAAAA:8 a=_gelNhxkGRwA:10 a=hwM1wLRBKg8A:10 a=Oeht2JMO8_wA:10 a=ZTb9aqGL9YkA:10 a=8nJEP1OIZ-IA:10 a=nc1ycHfYPIojY-x0Jd8A:9 a=wPNLvfGTeEIA:10 Received: from curlew.lan ([192.168.1.13]) by curlew.milibyte.co.uk with esmtp (Exim 4.83) (envelope-from ) id 1XDs1A-00013U-AW; Sun, 03 Aug 2014 10:23:52 +0100 From: Mike Clarke To: freebsd-questions@freebsd.org Date: Sun, 03 Aug 2014 10:23:51 +0100 Message-ID: <2489109.sNVhnsNWVW@curlew.lan> User-Agent: KMail/4.12.5 (FreeBSD/9.1-RELEASE-p17; KDE/4.12.5; amd64; ; ) In-Reply-To: <53DD7B4D.90903@hiwaay.net> References: <53DD742F.3020408@hiwaay.net> <20140802234554.GA34503@slackbox.erewhon.home> <53DD7B4D.90903@hiwaay.net> MIME-Version: 1.0 X-SA-Exim-Connect-IP: 192.168.1.13 X-SA-Exim-Mail-From: jmc-freebsd2@milibyte.co.uk X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on curlew.lan X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham autolearn_force=no version=3.4.0 Subject: Re: permission problems w/ ordinary user .... Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="iso-8859-1" X-SA-Exim-Version: 4.2 X-SA-Exim-Scanned: Yes (on curlew.milibyte.co.uk) Cc: "William A. Mahaffey III" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Aug 2014 09:27:05 -0000 On Saturday 02 August 2014 18:59:09 William A. Mahaffey III wrote: > On 08/02/14 18:45, Roland Smith wrote: > > On Sat, Aug 02, 2014 at 06:28:47PM -0500, William A. Mahaffey III wrote: [snip] > >> I can ssh in as root no sweat > > > > Yikes. That is usually the first thing I'd disable! > > > > > > Roland > > I do that (easy root login) on purpose, my LAN is not internet > exposed (except when I'm browsing) You can make things a bit more secure by requiring ssh keys instead of a password for remote access. Use ssh-keygen to generate your keys then append your ~/ssh/id_rsa.pub to /root/.ssh/authorized_keys on the machine where you need root access. Then make these changes to /etc/ssh/sshd_config on the remote machine and restart sshd. --- /usr/src/crypto/openssh/sshd_config 2013-01-12 13:21:39.235909173 +0000 +++ /etc/ssh/sshd_config 2013-01-12 13:20:23.078909059 +0000 @@ -45,4 +45,5 @@ #LoginGraceTime 2m #PermitRootLogin no +PermitRootLogin without-password #StrictModes yes #MaxAuthTries 6 @@ -64,5 +65,5 @@ # Change to yes to enable built-in password authentication. -#PasswordAuthentication no +PasswordAuthentication no #PermitEmptyPasswords no NB. If you don't have physical access to the remote machine then be very careful not to make any mistakes which could lock you out of it. In particular make sure you have set up your keys and edited /root/.ssh/authorized_keys correctly before reconfiguring sshd. To be on the safe side confirm that you can make a successful remote login from another terminal window before closing your current remote session. -- Mike Clarke