Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 30 May 2007 02:06:38 -0700
From:      perryh@pluto.rain.com
To:        freebsd-questions@freebsd.org
Subject:   Re: connecting user root with ssh
Message-ID:  <465d3e9e.uyoP2YaUttmVs6ON%perryh@pluto.rain.com>
In-Reply-To: <465C1D68.8000502@yahoo.gr>
References:  <11066.217.114.136.135.1180427946.squirrel@llca513-a.servidoresdns.net> <499c70c0705290145w309bd308u83f39f3791c5b3f@mail.gmail.com> <465C1D68.8000502@yahoo.gr>

next in thread | previous in thread | raw e-mail | index | archive | help
> > you are warned, do not allow SSH to your box with user root at all.
> ...
> Having root logon enabled remotely is just asking for trouble.

The O.P. might be interested in knowing *why* allowing remote root
login is considered unwise:

* The name "root" is very well known.

* If "root" can log in remotely, a cracker need only guess root's
  password to obtain root access.

* If "root" cannot log in remotely, a cracker has to guess three
  things to obtain root access, instead of just one:

  + A valid username which is in the "wheel" group;
  + That user's password;
  + The root password.

This at least doubles the difficulty of a brute-force attack:
even if a suitable username were obvious, there would still be
two passwords to be cracked.  It can be made even tougher by
having only one username (other than root) in the wheel group,
choosing that name as if it were a password, and not allowing
it to be externally known (e.g. never using it for mail).



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?465d3e9e.uyoP2YaUttmVs6ON%perryh>