Date: Sun, 03 Aug 2014 10:23:51 +0100 From: Mike Clarke <jmc-freebsd2@milibyte.co.uk> To: freebsd-questions@freebsd.org Cc: "William A. Mahaffey III" <wam@hiwaay.net> Subject: Re: permission problems w/ ordinary user .... Message-ID: <2489109.sNVhnsNWVW@curlew.lan> In-Reply-To: <53DD7B4D.90903@hiwaay.net> References: <53DD742F.3020408@hiwaay.net> <20140802234554.GA34503@slackbox.erewhon.home> <53DD7B4D.90903@hiwaay.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Saturday 02 August 2014 18:59:09 William A. Mahaffey III wrote: > On 08/02/14 18:45, Roland Smith wrote: > > On Sat, Aug 02, 2014 at 06:28:47PM -0500, William A. Mahaffey III wrote: [snip] > >> I can ssh in as root no sweat > > > > Yikes. That is usually the first thing I'd disable! > > > > > > Roland > > I do that (easy root login) on purpose, my LAN is not internet > exposed (except when I'm browsing) You can make things a bit more secure by requiring ssh keys instead of a password for remote access. Use ssh-keygen to generate your keys then append your ~/ssh/id_rsa.pub to /root/.ssh/authorized_keys on the machine where you need root access. Then make these changes to /etc/ssh/sshd_config on the remote machine and restart sshd. --- /usr/src/crypto/openssh/sshd_config 2013-01-12 13:21:39.235909173 +0000 +++ /etc/ssh/sshd_config 2013-01-12 13:20:23.078909059 +0000 @@ -45,4 +45,5 @@ #LoginGraceTime 2m #PermitRootLogin no +PermitRootLogin without-password #StrictModes yes #MaxAuthTries 6 @@ -64,5 +65,5 @@ # Change to yes to enable built-in password authentication. -#PasswordAuthentication no +PasswordAuthentication no #PermitEmptyPasswords no NB. If you don't have physical access to the remote machine then be very careful not to make any mistakes which could lock you out of it. In particular make sure you have set up your keys and edited /root/.ssh/authorized_keys correctly before reconfiguring sshd. To be on the safe side confirm that you can make a successful remote login from another terminal window before closing your current remote session. -- Mike Clarke
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2489109.sNVhnsNWVW>