From owner-freebsd-questions@FreeBSD.ORG Wed May 30 09:11:56 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 403D916A421 for ; Wed, 30 May 2007 09:11:56 +0000 (UTC) (envelope-from perryh@pluto.rain.com) Received: from agora.rdrop.com (agora.rdrop.com [199.26.172.34]) by mx1.freebsd.org (Postfix) with ESMTP id 1F43613C480 for ; Wed, 30 May 2007 09:11:56 +0000 (UTC) (envelope-from perryh@pluto.rain.com) Received: from agora.rdrop.com (66@localhost [127.0.0.1]) by agora.rdrop.com (8.13.1/8.12.7) with ESMTP id l4U9BrbO011146 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for ; Wed, 30 May 2007 02:11:55 -0700 (PDT) (envelope-from perryh@pluto.rain.com) Received: (from uucp@localhost) by agora.rdrop.com (8.13.1/8.12.9/Submit) with UUCP id l4U9BqkX011139 for freebsd-questions@freebsd.org; Wed, 30 May 2007 02:11:52 -0700 (PDT) Received: from fbsd61 ([192.168.200.61]) by pluto.rain.com (4.1/SMI-4.1-pluto-M2060407) id AA25741; Wed, 30 May 07 02:02:47 PDT Date: Wed, 30 May 2007 02:06:38 -0700 From: perryh@pluto.rain.com To: freebsd-questions@freebsd.org Message-Id: <465d3e9e.uyoP2YaUttmVs6ON%perryh@pluto.rain.com> References: <11066.217.114.136.135.1180427946.squirrel@llca513-a.servidoresdns.net> <499c70c0705290145w309bd308u83f39f3791c5b3f@mail.gmail.com> <465C1D68.8000502@yahoo.gr> In-Reply-To: <465C1D68.8000502@yahoo.gr> User-Agent: nail 11.25 7/29/05 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re: connecting user root with ssh X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 30 May 2007 09:11:56 -0000 > > you are warned, do not allow SSH to your box with user root at all. > ... > Having root logon enabled remotely is just asking for trouble. The O.P. might be interested in knowing *why* allowing remote root login is considered unwise: * The name "root" is very well known. * If "root" can log in remotely, a cracker need only guess root's password to obtain root access. * If "root" cannot log in remotely, a cracker has to guess three things to obtain root access, instead of just one: + A valid username which is in the "wheel" group; + That user's password; + The root password. This at least doubles the difficulty of a brute-force attack: even if a suitable username were obvious, there would still be two passwords to be cracked. It can be made even tougher by having only one username (other than root) in the wheel group, choosing that name as if it were a password, and not allowing it to be externally known (e.g. never using it for mail).