From owner-freebsd-security@FreeBSD.ORG Tue Jan 13 18:41:54 2015 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 479067C6 for ; Tue, 13 Jan 2015 18:41:54 +0000 (UTC) Received: from proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 1E1FCA02 for ; Tue, 13 Jan 2015 18:41:53 +0000 (UTC) Received: from [10.20.30.90] (50-1-98-91.dsl.dynamic.fusionbroadband.com [50.1.98.91]) (authenticated bits=0) by proper.com (8.15.1/8.14.7) with ESMTPSA id t0DIfpCX063685 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 13 Jan 2015 11:41:51 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) X-Authentication-Warning: proper.com: Host 50-1-98-91.dsl.dynamic.fusionbroadband.com [50.1.98.91] claimed to be [10.20.30.90] Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) Subject: Re: Security SSH From: Paul Hoffman In-Reply-To: <20150113173127.GA15966@knossos> Date: Tue, 13 Jan 2015 10:41:50 -0800 Content-Transfer-Encoding: quoted-printable Message-Id: References: <20150112164010.GA811@mycenae.sbb.rs> <3E13CC03-7C83-4B6D-85B1-442D4014E57D@vpnc.org> <20150113173127.GA15966@knossos> To: Zoran Kolic X-Mailer: Apple Mail (2.1993) X-Mailman-Approved-At: Tue, 13 Jan 2015 19:14:42 +0000 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Jan 2015 18:41:54 -0000 On Jan 13, 2015, at 9:31 AM, Zoran Kolic wrote: >=20 >> Can you point to that for the rest of us? I'd rather not wade in = openbsd-misc.... >=20 > The link original poster presented is the correct one. > Openbsd tend to set some default values, which one might > like or not. I would disable root login at first. > Misc seems rough at moment. I found it very helpfull if > I need help, just have to follow rules. Be patient, give > as much info as possible, don't push... Do your homework... > If I really have to say what I think: ssh is great tool. In the FreeeBSD space, enabling root login for SSH by default is = problematic on both sides of the sword. - If it enabled by default, and the root password is purposely easy to = remember (because it is a single-user system), it's easy to get owned. - If it is disabled by default, you either have to be able to log in = once from the console (which you might not have access to if it is a = VM), or the one user who was added has to be part of the right group = *and* you need to remember the right incantation for "su". On balance, I'm happy with the FreeBSD default of "PermitRootLogin no" = even though it has made creating new FreeBSD VMs troublesome for me = sometimes. ...and I'm glad we're not discussing the uninformed crypto FUD that = started this thread... --Paul Hoffman=