Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 29 Jan 2024 14:15:19 +0000
From:      Matthew Seaman <matthew@FreeBSD.org>
To:        questions@freebsd.org
Subject:   Re: Enabling SSHD
Message-ID:  <4f60fad9-c5b1-46ea-bfbf-7e654bd5d3d1@FreeBSD.org>
In-Reply-To: <20240129134722.fbwrvamdf2wx4vik@yosemite.mars.lan>
References:  <20240129125745.fuh6nnc4dooto2oz@yosemite.mars.lan> <CPja5CJLsYzkPuo_qd5lnJuUj6lBBCW2uHo3NcbFubhGSKa2gNEu0ETvjZSAwI_-rQFuVvUJR2s10xbz40uL17k1lpLSCiz8azHd77S9LK8=@proton.me> <BHs6axVCDQRUWc9O5KLVIF5b9tVo_qUIXZfJ3ASj6U-6sfJKBhcSrOn_VWfYfrxOQyFSEZKLjQuHbBKJ57NuwR-jAl7kDRYp7ix7bDVgCfk=@proton.me> <20240129134722.fbwrvamdf2wx4vik@yosemite.mars.lan>

next in thread | previous in thread | raw e-mail | index | archive | help
On 29/01/2024 13:47, Paul M Foster wrote:
> I certainly hope this is not the case. I've been running Linux for 30
> years, and am looking to transition to FreeBSD. If passwords are prohibited
> for SSH access, that would be a major reason for me not to pursue FreeBSD
> any further. FWIW, I disagree with the current fad of believing that
> passwords should be eliminated for everything. I believe passwords,
> properly implemented, are more than adequate for normal security. If you're
> trying to secure NSA servers or something, by all means eliminate
> passwords in favor of hardware keys or the like.

Passwords are not prohibited for SSH access.  The default configuration 
supplied with a basic install of FreeBSD doesn't turn password access on 
for root by default, because we know that many people will just use the 
"out of the box" configuration, so it is set to be as secure as feasible.

However this is FreeBSD.  We have a saying around here: "tools, not 
policy" -- meaning that, yes, the system comes with ssh, but it's 
entirely up to you how to configure it.  If you want password based auth 
for sshd, then go ahead and edit /etc/ssh/sshd_config and/or /etc/pam.d 
entries, as appropriate.

In fact, in general, if you install any software that requires 
configuration files to be set up, don't assume you're going to get to 
get anything like a working configuration directly from `pkg install`. 
You might get something immediately usable, sometimes, but you can't 
rely on that happening.

Likewise, don't expect daemon processes to be automatically enabled and 
started up as a result of `pkg install`.

On FreeBSD, those are deliberately separate steps that you, as the 
admin, are expected make intentionally.  It's maybe not as convenient 
for a more casual user, but it plays much better with automated 
configuration tools like Ansible, and if you're working at scale with 
whole clusters of machines.

	Cheers,

	Matthew




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4f60fad9-c5b1-46ea-bfbf-7e654bd5d3d1>