From owner-freebsd-questions@FreeBSD.ORG Mon Mar 1 08:42:03 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 02BD816A4E1 for ; Mon, 1 Mar 2004 08:42:03 -0800 (PST) Received: from ns1.tiadon.com (SMTP.tiadon.com [69.27.132.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9A80C43D48 for ; Mon, 1 Mar 2004 08:42:02 -0800 (PST) (envelope-from kdk@daleco.biz) Received: from daleco.biz ([69.27.131.0]) by ns1.tiadon.com with Microsoft SMTPSVC(6.0.3790.0); Mon, 1 Mar 2004 10:42:21 -0600 Message-ID: <404367D6.6030801@daleco.biz> Date: Mon, 01 Mar 2004 10:41:58 -0600 From: "Kevin D. Kinsey, DaleCo, S.P." User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040212 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Stephen Liu References: <200403020152.37627.satimis@icare.com.hk> <20040301143307.GC11958@nkinkade.bmp.ub> <200403020809.43752.satimis@icare.com.hk> In-Reply-To: <200403020809.43752.satimis@icare.com.hk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 01 Mar 2004 16:42:22.0187 (UTC) FILETIME=[2B4473B0:01C3FFAC] cc: Nathan Kinkade cc: freebsd-questions@freebsd.org Subject: Re: SSH Problem X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Mar 2004 16:42:03 -0000 Stephen Liu wrote: >- snip - > > >>You say that this works as root, but your example seems to indicate >>otherwise. By default, root logins via ssh is disabled in the sshd >>config file, usually at /etc/ssh/sshd_config. If for some reason you >>want to allow root logins via ssh then uncomment the following line and >>change "no" to "yes" - then restart sshd: >> >>PermitRootLogin yes >> >>However, I think this would generally be frowned upon from a security >>standpoint. >> >> > >Hi Nathan, > >Tks for your advice which works. > >This arrangement is only to facilitate Administor's job. He operates outside >contact as 'user' from there if necessary he can login as root doing >maintenance. > >B.R. >Stephen > > > No, no, no...!! :-) He should be a member of the "wheel" group. He should then ssh in as "user", and use su(1) to "become" root. Better even still, install sudo (/usr/ports/security/sudo) and let him use that: then you can see what your Administrator has been up to, if necessary.... HTH, Kevin Kinsey DaleCo, S.P.