Date: Sun, 03 Aug 2014 08:05:39 -0500 From: "William A. Mahaffey III" <wam@hiwaay.net> To: freebsd-questions@freebsd.org Subject: Re: permission problems w/ ordinary user .... Message-ID: <53DE33A3.3020902@hiwaay.net> In-Reply-To: <2489109.sNVhnsNWVW@curlew.lan> References: <53DD742F.3020408@hiwaay.net> <20140802234554.GA34503@slackbox.erewhon.home> <53DD7B4D.90903@hiwaay.net> <2489109.sNVhnsNWVW@curlew.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
On 08/03/14 04:23, Mike Clarke wrote:
> On Saturday 02 August 2014 18:59:09 William A. Mahaffey III wrote:
>> On 08/02/14 18:45, Roland Smith wrote:
>>> On Sat, Aug 02, 2014 at 06:28:47PM -0500, William A. Mahaffey III
> wrote:
>
> [snip]
>
>>>> I can ssh in as root no sweat
>>> Yikes. That is usually the first thing I'd disable!
>>>
>>>
>>> Roland
>> I do that (easy root login) on purpose, my LAN is not internet
>> exposed (except when I'm browsing)
> You can make things a bit more secure by requiring ssh keys instead of
> a password for remote access.
>
> Use ssh-keygen to generate your keys then append your ~/ssh/id_rsa.pub
> to /root/.ssh/authorized_keys on the machine where you need root
> access.
>
> Then make these changes to /etc/ssh/sshd_config on the remote machine
> and restart sshd.
>
> --- /usr/src/crypto/openssh/sshd_config 2013-01-12 13:21:39.235909173
> +0000
> +++ /etc/ssh/sshd_config 2013-01-12 13:20:23.078909059 +0000
> @@ -45,4 +45,5 @@
> #LoginGraceTime 2m
> #PermitRootLogin no
> +PermitRootLogin without-password
> #StrictModes yes
> #MaxAuthTries 6
> @@ -64,5 +65,5 @@
>
> # Change to yes to enable built-in password authentication.
> -#PasswordAuthentication no
> +PasswordAuthentication no
> #PermitEmptyPasswords no
>
> NB. If you don't have physical access to the remote machine then be
> very careful not to make any mistakes which could lock you out of it.
> In particular make sure you have set up your keys and edited
> /root/.ssh/authorized_keys correctly before reconfiguring sshd. To be
> on the safe side confirm that you can make a successful remote login
> from another terminal window before closing your current remote
> session.
This (keyed access) is how I have every machine on my network setup,
just haven't gotten there yet w/ this (very new) box. *High* on my TODO
list ....
--
William A. Mahaffey III
----------------------------------------------------------------------
"The M1 Garand is without doubt the finest implement of war
ever devised by man."
-- Gen. George S. Patton Jr.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?53DE33A3.3020902>