Date: Tue, 3 Jan 2017 19:59:15 +0000 From: Dave B <g8kbvdave@googlemail.com> To: freebsd-questions@freebsd.org Subject: Re: freebsd-questions Digest, Vol 657, Issue 4 Message-ID: <94b5b6f2-3c3b-cc53-bf23-46e90aaa10d6@googlemail.com> In-Reply-To: <mailman.14124.1483471837.4389.freebsd-questions@freebsd.org> References: <mailman.14124.1483471837.4389.freebsd-questions@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 03/01/17 19:30, freebsd-questions-request@freebsd.org wrote: > Subject: > Re: how to allow user toor login through ssh > From: > Maciej Suszko <maciej@suszko.eu> > Date: > 03/01/17 13:24 > > To: > Ben Woods <woodsb02@gmail.com> > CC: > Polytropon <freebsd@edvax.de>, "freebsd-questions@freebsd.org" > <freebsd-questions@freebsd.org>, Ernie Luzar <luzar722@gmail.com> > > > On Tue, 3 Jan 2017 19:15:54 +0800 > Ben Woods <woodsb02@gmail.com> wrote: > >> The openssh daemon prevents login as root or toor (any user with UID >> 0) in the default configuration that ships with FreeBSD. >> >> This can be adjusted by setting the following in /etc/ssh/sshd_config: >> PermitRootLogin yes >> >> Note however, that it is not generally advisable to allow root or toor >> login via ssh, as this is a frequently attempted username for script >> kiddies and bots running random brute force attacks. Tread wisely. >> >> Regards, >> Ben > However it's quite simple to restrict root login using Match block, for > example ;-) ... just leave 'no' globally. > > Match Address 10.0.0.0/27 > PermitRootLogin yes > -- regards, Maciej Suszko. Hi. The way I was guided to do this, and have successfully been using it for the last 4 (at least) years on a public facing server (with out AFIK any incident, yet) is to first ssh and log in (password or certificate) as a regular user, then... $ su - root ...And give root's password when prompted. At which you then end up with the coveted # /root > prompt! Of course, the user you first login as, must be permitted to use su etc, and also make sure that root's password is longer and unrelated to any known user, but memorable to you. Use a phrase including upper case char's and numbers, not just a single word... Remember security and convenience are mutually exclusive. Certificates are nice, but I always wonder what happens if your portable device is lost or stolen, if it's local login creds are not that secure, then potentially whatever it can auto-connect to could be vulnerable. When you've done with root's task, just Ctrl+D out, back to the plain user account. It's also amazing just how many simple admin tasks you can do as a regular user with just a few extra privileges, not needing full root access much of the time. Happy New Year and best regards to All. Dave B.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?94b5b6f2-3c3b-cc53-bf23-46e90aaa10d6>