From owner-freebsd-questions@FreeBSD.ORG  Tue Jul 24 19:27:44 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B632B16A41B
	for <freebsd-questions@freebsd.org>;
	Tue, 24 Jul 2007 19:27:44 +0000 (UTC)
	(envelope-from lists-fbsd@shadypond.com)
Received: from mx-outbound01.easydns.com (mailout.easydns.com [205.210.42.54])
	by mx1.freebsd.org (Postfix) with ESMTP id 9100F13C458
	for <freebsd-questions@freebsd.org>;
	Tue, 24 Jul 2007 19:27:44 +0000 (UTC)
	(envelope-from lists-fbsd@shadypond.com)
Received: from slider.shadypond.com (69-12-173-117.static.humboldt1.com
	[69.12.173.117])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx-outbound01.easydns.com (Postfix) with ESMTP id 1FC1F8004
	for <freebsd-questions@freebsd.org>;
	Tue, 24 Jul 2007 15:27:42 -0400 (EDT)
Received: from slider.shadypond.com (slider.shadypond.com [192.168.1.11])
	by slider.shadypond.com (postoffice) with ESMTP id 072D7B65CB
	for <freebsd-questions@freebsd.org>;
	Tue, 24 Jul 2007 19:27:39 +0000 (UTC)
From: Pollywog <lists-fbsd@shadypond.com>
To: freebsd-questions@freebsd.org
Date: Tue, 24 Jul 2007 19:27:38 +0000
References: <11066.217.114.136.135.1180427946.squirrel@llca513-a.servidoresdns.net>
	<465d3e9e.uyoP2YaUttmVs6ON%perryh@pluto.rain.com>
	<20070724213326.5e8aa27d@localhost>
In-Reply-To: <20070724213326.5e8aa27d@localhost>
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Message-Id: <200707241927.38359.lists-fbsd@shadypond.com>
Subject: Re: connecting user root with ssh
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jul 2007 19:27:44 -0000

On Tuesday 24 July 2007 11:33:26 Norberto Meijome wrote:
> On Wed, 30 May 2007 02:06:38 -0700
>
> perryh@pluto.rain.com wrote:
> > * If "root" cannot log in remotely, a cracker has to guess three
>
> guess or brute force - so  quite long random passwords (or ssh keys) are
> extremely recommendable.
>
> >   things to obtain root access, instead of just one:
> >
> >   + A valid username which is in the "wheel" group;
> >   + That user's password;
> >   + The root password.
>
> that is assuming, of course, that the user your just logged in with belongs
> to wheel.

If one must allow root logins via ssh, I recommend in sshd_config:

PermitRootLogin without-password

This will force the use of a passphrase and disallow root login with just a 
password.