From owner-freebsd-questions Thu Nov 8 7:18:45 2001 Delivered-To: freebsd-questions@freebsd.org Received: from pr0n.kutulu.org (pr0n.kutulu.org [151.196.107.157]) by hub.freebsd.org (Postfix) with ESMTP id 0683A37B420 for ; Thu, 8 Nov 2001 07:18:41 -0800 (PST) Received: (from kutulu@localhost) by pr0n.kutulu.org (8.11.6/8.11.6) id fA8FI7o10282; Thu, 8 Nov 2001 10:18:07 -0500 (EST) (envelope-from kutulu) Date: Thu, 8 Nov 2001 10:18:07 -0500 From: Kutulu To: Anthony Atkielski Cc: Giorgos Keramidas , freebsd-questions@FreeBSD.ORG Subject: Re: Re[2]: Tiny starter configuration for FreeBSD Message-ID: <20011108101807.A10218@pr0n.kutulu.org> Mail-Followup-To: Anthony Atkielski , Giorgos Keramidas , freebsd-questions@FreeBSD.ORG References: <15330.6606.417524.41024@guru.mired.org> <002b01c1635f$5a5f4300$0a00000a@atkielski.com> <20011108022328.F79276@hades.hell.gr> <002501c1682b$a542b7a0$0a00000a@atkielski.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <002501c1682b$a542b7a0$0a00000a@atkielski.com>; from anthony@atkielski.com on Thu, Nov 08, 2001 at 09:01:54AM +0100 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, Nov 08, 2001 at 09:01:54AM +0100, Anthony Atkielski wrote: > Currently I have telnetd turned off, and only sshd is running. I also have all > incoming telnet and ssh traffic blocked at the router, and I only log in from my > tiny LAN. So I should be safe logging in directly as root, although I might > reconsider if I ever need to log into the system from a remote location. If you only allow your root logins via a DSA public key (in sshd_config, set PermitRootLogins = without-password), there's a very good argument that you will be just as secure logging is as root, as you would be logging in as a user and using 'su'. That is, if a malicious person is able to crack your DSA keys and pretend to be you, he/she can probably also locate the root password in the encrypted stream immediately following 'su', and decrypt it. > ----- Original Message ----- > From: "Giorgos Keramidas" > To: "Anthony Atkielski" > Cc: > Sent: Thursday, November 08, 2001 01:23 > Subject: Re: Re[2]: Tiny starter configuration for FreeBSD > > > > > For example, one change I made to my system was to allow root logins > > > from remote terminals. I'd prefer to limit remote logins to root to > > > my other machine, which is on the LAN, but I'm not aware of an > > > option to force that, so I had to open root logins to the world. Again... set up root to permit logins only through SSH, only with a DSA key. Then, in /root/.ssh/authorized_keys2, you can limit specific keys to only being valid coming from certain hosts: from="pattern-list" Specifies that in addition to RSA authentication, the canonical name of the remote host must be present in the comma-separated list of patterns (`*' and `?' serve as wildcards). (DSA keys and RSA keys are stored in the same file format, so the same options apply to both.) --K To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message