Date: Tue, 13 Jan 2015 10:41:50 -0800 From: Paul Hoffman <paul.hoffman@vpnc.org> To: Zoran Kolic <zkolic@sbb.rs> Cc: freebsd-security@freebsd.org Subject: Re: Security SSH Message-ID: <BF9DC004-BC60-4934-87FA-180BB529D699@vpnc.org> In-Reply-To: <20150113173127.GA15966@knossos> References: <mailman.81.1421064001.70786.freebsd-security@freebsd.org> <20150112164010.GA811@mycenae.sbb.rs> <3E13CC03-7C83-4B6D-85B1-442D4014E57D@vpnc.org> <20150113173127.GA15966@knossos>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jan 13, 2015, at 9:31 AM, Zoran Kolic <zkolic@sbb.rs> wrote: >=20 >> Can you point to that for the rest of us? I'd rather not wade in = openbsd-misc.... >=20 > The link original poster presented is the correct one. > Openbsd tend to set some default values, which one might > like or not. I would disable root login at first. > Misc seems rough at moment. I found it very helpfull if > I need help, just have to follow rules. Be patient, give > as much info as possible, don't push... Do your homework... > If I really have to say what I think: ssh is great tool. In the FreeeBSD space, enabling root login for SSH by default is = problematic on both sides of the sword. - If it enabled by default, and the root password is purposely easy to = remember (because it is a single-user system), it's easy to get owned. - If it is disabled by default, you either have to be able to log in = once from the console (which you might not have access to if it is a = VM), or the one user who was added has to be part of the right group = *and* you need to remember the right incantation for "su". On balance, I'm happy with the FreeBSD default of "PermitRootLogin no" = even though it has made creating new FreeBSD VMs troublesome for me = sometimes. ...and I'm glad we're not discussing the uninformed crypto FUD that = started this thread... --Paul Hoffman=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BF9DC004-BC60-4934-87FA-180BB529D699>