Date: Fri, 5 Oct 2001 13:40:29 -0700 (PDT) From: Matt Dillon <dillon@earth.backplane.com> To: Kutulu <kutulu@kutulu.org> Cc: Sheldon Hearn <sheldonh@starjuice.net>, stable@FreeBSD.ORG Subject: Re: Why sshd:PermitRootLogin = no ? Message-ID: <200110052040.f95KeTw84982@earth.backplane.com> References: <5.1.0.14.0.20011005120304.009f8590@127.0.0.1>
next in thread | previous in thread | raw e-mail | index | archive | help
:>Why is sshd's PermitRootLogin set to 'no' in the default installation of :>FreeBSD? :> :>The security gain for a brand new installation is questionable. The :>downside is that, when you have remote hands pressing the buttons for :>you during the installation, an extra user has to be created by those :>hands. : :Typically it is considered very insecure to allow an UID 0 user to log in :directly, via telnet, sshd, or whatever. The issue here is that a :malicious individual could attempt to guess and/or brute-force the root :password. : :The preferred procedure is to create a non-root user who is in the wheel :group (for *BSD specifically), and use su to become root after logon. : :There are a few specific cases where it may be beneficial for root to be :allowed to log on directly, if only for a short period of time; :unfortunately I don't know of any way to configure sshd to allow this :during the actual install. For the most part, this default setting is :considered a 'good thing' in terms of out-of-box security. : :--K Yes, exactly so. Though I don't think it would hurt to change the default to: PermitRootLogin without-password Which means that root can only login using a pre-authenticated method such as an SSH key pair (aka ~root/.ssh/authorized_keys), or kerberos. Passworded logins are still disallowed. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200110052040.f95KeTw84982>