From owner-freebsd-questions@freebsd.org Tue Jan 3 13:24:19 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 08944C9BBDC for ; Tue, 3 Jan 2017 13:24:19 +0000 (UTC) (envelope-from maciej@suszko.eu) Received: from archeo.suszko.eu (archeo.unixguru.pl [IPv6:2001:41d0:2:8316::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C2C731486 for ; Tue, 3 Jan 2017 13:24:18 +0000 (UTC) (envelope-from maciej@suszko.eu) Received: from archeo (localhost [127.0.0.1]) by archeo.suszko.eu (Postfix) with ESMTP id 3C6509E94; Tue, 3 Jan 2017 14:24:16 +0100 (CET) X-Virus-Scanned: amavisd-new at archeo.local Received: from archeo.suszko.eu ([127.0.0.1]) by archeo (archeo.local [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 3SzEoQq0AYZV; Tue, 3 Jan 2017 14:24:16 +0100 (CET) Received: from helium (unknown [195.8.99.234]) by archeo.suszko.eu (Postfix) with ESMTPSA id 98B769E86; Tue, 3 Jan 2017 14:24:15 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=suszko.eu; s=dkim; t=1483449855; bh=QJYnv19Qy5/NhO6L+kWDO//DNNun4l6+nE2C2yFYb98=; h=Date:From:To:Cc:Subject:In-Reply-To:References; b=bBaECoqOgOnQuW9v0LCkhUXT6oW7RbAXLoY6EJ6Ck7jYYKh63MRCzokLrGO8vx3mI b9ky4Y+zfYbqWFtsKMauKyCWK6wxu2yu6GhdqxYJdVCgHKvvYD8Utpwt3C6TrcD/C+ EuhaxUT4pz0E0bLH8DrxV6tGSZxSu5IontvRws0s= Date: Tue, 3 Jan 2017 14:24:12 +0100 From: Maciej Suszko To: Ben Woods Cc: Polytropon , "freebsd-questions@freebsd.org" , Ernie Luzar Subject: Re: how to allow user toor login through ssh Message-ID: <20170103141838.4ada403b@helium> In-Reply-To: References: <5869ADFB.6080000@gmail.com> <20170102024359.aa82ae3e.freebsd@edvax.de> <5869F77D.5050106@gmail.com> <20170102172615.516dc912.freebsd@edvax.de> X-Mailer: Claws Mail 3.14.1 (GTK+ 2.24.29; amd64-portbld-freebsd11.0) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; boundary="Sig_/S2x5=eq2X+pFTC+hAstT+r0"; protocol="application/pgp-signature" X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jan 2017 13:24:19 -0000 --Sig_/S2x5=eq2X+pFTC+hAstT+r0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Tue, 3 Jan 2017 19:15:54 +0800 Ben Woods wrote: > The openssh daemon prevents login as root or toor (any user with UID > 0) in the default configuration that ships with FreeBSD. >=20 > This can be adjusted by setting the following in /etc/ssh/sshd_config: > PermitRootLogin yes >=20 > Note however, that it is not generally advisable to allow root or toor > login via ssh, as this is a frequently attempted username for script > kiddies and bots running random brute force attacks. Tread wisely. >=20 > Regards, > Ben However it's quite simple to restrict root login using Match block, for example ;-) ... just leave 'no' globally. Match Address 10.0.0.0/27 PermitRootLogin yes --=20 regards, Maciej Suszko. --Sig_/S2x5=eq2X+pFTC+hAstT+r0 Content-Type: application/pgp-signature Content-Description: OpenPGP digital signature -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQRBv6xO7mzN+RcEaiUKKRSTSXuIagUCWGul/AAKCRAKKRSTSXuI auqaAJ4xkKQ8d3VRDr64fu7N0Tj0xgrRhACfW8FCK677APmoXZwLAvGafrZEgzo= =NU1K -----END PGP SIGNATURE----- --Sig_/S2x5=eq2X+pFTC+hAstT+r0--