Date: Mon, 29 Jan 2024 14:15:19 +0000 From: Matthew Seaman <matthew@FreeBSD.org> To: questions@freebsd.org Subject: Re: Enabling SSHD Message-ID: <4f60fad9-c5b1-46ea-bfbf-7e654bd5d3d1@FreeBSD.org> In-Reply-To: <20240129134722.fbwrvamdf2wx4vik@yosemite.mars.lan> References: <20240129125745.fuh6nnc4dooto2oz@yosemite.mars.lan> <CPja5CJLsYzkPuo_qd5lnJuUj6lBBCW2uHo3NcbFubhGSKa2gNEu0ETvjZSAwI_-rQFuVvUJR2s10xbz40uL17k1lpLSCiz8azHd77S9LK8=@proton.me> <BHs6axVCDQRUWc9O5KLVIF5b9tVo_qUIXZfJ3ASj6U-6sfJKBhcSrOn_VWfYfrxOQyFSEZKLjQuHbBKJ57NuwR-jAl7kDRYp7ix7bDVgCfk=@proton.me> <20240129134722.fbwrvamdf2wx4vik@yosemite.mars.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
On 29/01/2024 13:47, Paul M Foster wrote: > I certainly hope this is not the case. I've been running Linux for 30 > years, and am looking to transition to FreeBSD. If passwords are prohibited > for SSH access, that would be a major reason for me not to pursue FreeBSD > any further. FWIW, I disagree with the current fad of believing that > passwords should be eliminated for everything. I believe passwords, > properly implemented, are more than adequate for normal security. If you're > trying to secure NSA servers or something, by all means eliminate > passwords in favor of hardware keys or the like. Passwords are not prohibited for SSH access. The default configuration supplied with a basic install of FreeBSD doesn't turn password access on for root by default, because we know that many people will just use the "out of the box" configuration, so it is set to be as secure as feasible. However this is FreeBSD. We have a saying around here: "tools, not policy" -- meaning that, yes, the system comes with ssh, but it's entirely up to you how to configure it. If you want password based auth for sshd, then go ahead and edit /etc/ssh/sshd_config and/or /etc/pam.d entries, as appropriate. In fact, in general, if you install any software that requires configuration files to be set up, don't assume you're going to get to get anything like a working configuration directly from `pkg install`. You might get something immediately usable, sometimes, but you can't rely on that happening. Likewise, don't expect daemon processes to be automatically enabled and started up as a result of `pkg install`. On FreeBSD, those are deliberately separate steps that you, as the admin, are expected make intentionally. It's maybe not as convenient for a more casual user, but it plays much better with automated configuration tools like Ansible, and if you're working at scale with whole clusters of machines. Cheers, Matthew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4f60fad9-c5b1-46ea-bfbf-7e654bd5d3d1>