Date: Mon, 29 Jan 2024 14:34:00 +0000 From: Norman Gray <gray@nxg.name> To: Jonathan Adams <jfadams1963@proton.me> Cc: freebsd-questions@freebsd.org Subject: Re: Enabling SSHD Message-ID: <3CBFBF9D-B141-4417-AF5B-1E85CE6ABBC9@nxg.name> In-Reply-To: <BHs6axVCDQRUWc9O5KLVIF5b9tVo_qUIXZfJ3ASj6U-6sfJKBhcSrOn_VWfYfrxOQyFSEZKLjQuHbBKJ57NuwR-jAl7kDRYp7ix7bDVgCfk=@proton.me> References: <20240129125745.fuh6nnc4dooto2oz@yosemite.mars.lan> <CPja5CJLsYzkPuo_qd5lnJuUj6lBBCW2uHo3NcbFubhGSKa2gNEu0ETvjZSAwI_-rQFuVvUJR2s10xbz40uL17k1lpLSCiz8azHd77S9LK8=@proton.me> <BHs6axVCDQRUWc9O5KLVIF5b9tVo_qUIXZfJ3ASj6U-6sfJKBhcSrOn_VWfYfrxOQyFSEZKLjQuHbBKJ57NuwR-jAl7kDRYp7ix7bDVgCfk=@proton.me>
next in thread | previous in thread | raw e-mail | index | archive | help
Greetings. On 29 Jan 2024, at 13:14, Jonathan Adams wrote: > Please disable root logins via SSH. Even on your LAN, it's bad practic= e. I think this is going a step too far. I'd agree with you that password-b= ased root access is likely to be problematic (pace Paul Foster's comments= elsewhere in the thread), but key-based ssh authentication, plus either = group or cert-based AuthZ, seems adequately secure. ssh certs are quite nice -- [1] is a nice write-up. Short-validity ssh c= erts let you control who has access, and allow clear logging of who has c= onnected. Password-based root logins don't make clear who has logged in,= and to me that's an important argument against permitting that. I don't= see a difference, in security terms, between permitting sudo to a root s= hell, and permitting cert-based ssh access. (I'm talking only about internal connections, of course -- outward facing= sshd servers are a different issue). Best wishes, Norman [1] https://engineering.fb.com/2016/09/12/security/scalable-and-secure-ac= cess-with-ssh/ -- = Norman Gray : https://nxg.me.uk
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3CBFBF9D-B141-4417-AF5B-1E85CE6ABBC9>