From owner-freebsd-questions@freebsd.org Tue Jan 3 19:59:20 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C18DFC9D4A0 for ; Tue, 3 Jan 2017 19:59:20 +0000 (UTC) (envelope-from g8kbvdave@googlemail.com) Received: from mail-wj0-x22d.google.com (mail-wj0-x22d.google.com [IPv6:2a00:1450:400c:c01::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 54816102F for ; Tue, 3 Jan 2017 19:59:20 +0000 (UTC) (envelope-from g8kbvdave@googlemail.com) Received: by mail-wj0-x22d.google.com with SMTP id c11so248347846wjx.3 for ; Tue, 03 Jan 2017 11:59:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to; bh=J+DmTppFqRVIqLK7Xz/ZEHq2bPF1a+ROIGqbVjJznas=; b=d5VYe/0EfgB4Aknn0tSP38029jmiQLlE8gSk8fLbShyqbUn2xU5CFXnOE98ELbZ0N+ mpzE2wYp+qGZELnzp3yY2gXALsRmfhGKlLK8TspRbEZrBfUhr2sdGscP1dH6fy1A83rs YFhfkZaT/LQHLxLRmwoLUtdaSV8Dfi0sgJ27pewmQ8Qkq8At2fxBZl1qcFsc6/VGB7C4 bws/3aMShAJjNfrMwN+OLMmhx8JvyLm2lAD09vHpRCvkW5wkJkjMs90jX0/VP4XtkLsF z4KErnIfYzlfe5byFBUcbwMH+fkbk6S0PSlqV5uBGviY0shN3pvabpNnglqqQ6ERBuj9 jblg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to; bh=J+DmTppFqRVIqLK7Xz/ZEHq2bPF1a+ROIGqbVjJznas=; b=Zy39ZYi043coRDQGEbU7xt89gdZCZNJlk1bDGGlra177+1VfWSKFHoSNxIef5RxeQJ IGsodX6NBK1e23LsgnSpO/MtcqrbzJlkvSRkylbOKTgZKATNM39SZtiTN4+aj1XWCtjw cNPm/+v4fk7rpkL9YsMlzaUf2l+5o/4PkT7pJ8DSVpm4TmNZfhtBy9m9GMs2qA5uh998 DMDsBRUNSZcORxhO9wpZ7Zb6cD2PbUV1Bcl3NmzUl0cPjfb1ss1P7Zsukp63q59c99/O RVjxhUKEIBRUXvVyuRg2rzVHmonRZdd5/C3xc0cMo0lSMycbwNy/j2IHsB/h0dP7Rihl a9gQ== X-Gm-Message-State: AIkVDXL3c77XsqKlBu6d+BnHcgJ8lmbstg6G51KDqSxow6Pzy3vdJjihKKrPi1RVMLdk9Q== X-Received: by 10.194.162.8 with SMTP id xw8mr52119050wjb.125.1483473557779; Tue, 03 Jan 2017 11:59:17 -0800 (PST) Received: from [192.168.42.33] ([212.225.126.106]) by smtp.gmail.com with ESMTPSA id f134sm91245137wmf.19.2017.01.03.11.59.16 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 03 Jan 2017 11:59:17 -0800 (PST) Subject: Re: freebsd-questions Digest, Vol 657, Issue 4 To: freebsd-questions@freebsd.org References: From: Dave B Message-ID: <94b5b6f2-3c3b-cc53-bf23-46e90aaa10d6@googlemail.com> Date: Tue, 3 Jan 2017 19:59:15 +0000 User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jan 2017 19:59:20 -0000 On 03/01/17 19:30, freebsd-questions-request@freebsd.org wrote: > Subject: > Re: how to allow user toor login through ssh > From: > Maciej Suszko > Date: > 03/01/17 13:24 > > To: > Ben Woods > CC: > Polytropon , "freebsd-questions@freebsd.org" > , Ernie Luzar > > > On Tue, 3 Jan 2017 19:15:54 +0800 > Ben Woods wrote: > >> The openssh daemon prevents login as root or toor (any user with UID >> 0) in the default configuration that ships with FreeBSD. >> >> This can be adjusted by setting the following in /etc/ssh/sshd_config: >> PermitRootLogin yes >> >> Note however, that it is not generally advisable to allow root or toor >> login via ssh, as this is a frequently attempted username for script >> kiddies and bots running random brute force attacks. Tread wisely. >> >> Regards, >> Ben > However it's quite simple to restrict root login using Match block, for > example ;-) ... just leave 'no' globally. > > Match Address 10.0.0.0/27 > PermitRootLogin yes > -- regards, Maciej Suszko. Hi. The way I was guided to do this, and have successfully been using it for the last 4 (at least) years on a public facing server (with out AFIK any incident, yet) is to first ssh and log in (password or certificate) as a regular user, then... $ su - root ...And give root's password when prompted. At which you then end up with the coveted # /root > prompt! Of course, the user you first login as, must be permitted to use su etc, and also make sure that root's password is longer and unrelated to any known user, but memorable to you. Use a phrase including upper case char's and numbers, not just a single word... Remember security and convenience are mutually exclusive. Certificates are nice, but I always wonder what happens if your portable device is lost or stolen, if it's local login creds are not that secure, then potentially whatever it can auto-connect to could be vulnerable. When you've done with root's task, just Ctrl+D out, back to the plain user account. It's also amazing just how many simple admin tasks you can do as a regular user with just a few extra privileges, not needing full root access much of the time. Happy New Year and best regards to All. Dave B.