From owner-freebsd-questions@FreeBSD.ORG  Wed May 30 09:11:56 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 403D916A421
	for <freebsd-questions@freebsd.org>;
	Wed, 30 May 2007 09:11:56 +0000 (UTC)
	(envelope-from perryh@pluto.rain.com)
Received: from agora.rdrop.com (agora.rdrop.com [199.26.172.34])
	by mx1.freebsd.org (Postfix) with ESMTP id 1F43613C480
	for <freebsd-questions@freebsd.org>;
	Wed, 30 May 2007 09:11:56 +0000 (UTC)
	(envelope-from perryh@pluto.rain.com)
Received: from agora.rdrop.com (66@localhost [127.0.0.1])
	by agora.rdrop.com (8.13.1/8.12.7) with ESMTP id l4U9BrbO011146
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
	for <freebsd-questions@freebsd.org>;
	Wed, 30 May 2007 02:11:55 -0700 (PDT)
	(envelope-from perryh@pluto.rain.com)
Received: (from uucp@localhost)
	by agora.rdrop.com (8.13.1/8.12.9/Submit) with UUCP id l4U9BqkX011139
	for freebsd-questions@freebsd.org; Wed, 30 May 2007 02:11:52 -0700 (PDT)
Received: from fbsd61 ([192.168.200.61]) by pluto.rain.com
	(4.1/SMI-4.1-pluto-M2060407) id AA25741; Wed, 30 May 07 02:02:47 PDT
Date: Wed, 30 May 2007 02:06:38 -0700
From: perryh@pluto.rain.com
To: freebsd-questions@freebsd.org
Message-Id: <465d3e9e.uyoP2YaUttmVs6ON%perryh@pluto.rain.com>
References: <11066.217.114.136.135.1180427946.squirrel@llca513-a.servidoresdns.net>
	<499c70c0705290145w309bd308u83f39f3791c5b3f@mail.gmail.com>
	<465C1D68.8000502@yahoo.gr>
In-Reply-To: <465C1D68.8000502@yahoo.gr>
User-Agent: nail 11.25 7/29/05
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: Re: connecting user root with ssh
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 30 May 2007 09:11:56 -0000

> > you are warned, do not allow SSH to your box with user root at all.
> ...
> Having root logon enabled remotely is just asking for trouble.

The O.P. might be interested in knowing *why* allowing remote root
login is considered unwise:

* The name "root" is very well known.

* If "root" can log in remotely, a cracker need only guess root's
  password to obtain root access.

* If "root" cannot log in remotely, a cracker has to guess three
  things to obtain root access, instead of just one:

  + A valid username which is in the "wheel" group;
  + That user's password;
  + The root password.

This at least doubles the difficulty of a brute-force attack:
even if a suitable username were obvious, there would still be
two passwords to be cracked.  It can be made even tougher by
having only one username (other than root) in the wheel group,
choosing that name as if it were a password, and not allowing
it to be externally known (e.g. never using it for mail).