From owner-freebsd-questions  Fri Nov  2  2:54:56 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from whiskey.klatsch.org (whiskey.klatsch.org [209.6.82.6])
	by hub.freebsd.org (Postfix) with SMTP id 915DB37B407
	for <questions@FreeBSD.ORG>; Fri,  2 Nov 2001 02:54:53 -0800 (PST)
Received: (qmail 73342 invoked by uid 1001); 2 Nov 2001 10:54:16 -0000
Date: Fri, 2 Nov 2001 05:54:16 -0500
From: Ben Eisenbraun <bene@klatsch.org>
To: Anthony Atkielski <anthony@atkielski.com>
Cc: Erik Trulsson <ertr1013@student.uu.se>,
	Mike Meyer <mwm@mired.org>, questions@FreeBSD.ORG
Subject: Re: Lockdown of FreeBSD machine directly on Net
Message-ID: <20011102055416.B67495@klatsch.org>
References: <15330.23714.263323.466739@guru.mired.org> <00b501c1637b$1cd2f880$0a00000a@atkielski.com> <20011102095554.A38169@student.uu.se> <00d801c1637c$d3264640$0a00000a@atkielski.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <00d801c1637c$d3264640$0a00000a@atkielski.com>; from anthony@atkielski.com on Fri, Nov 02, 2001 at 10:00:28AM +0100
X-Disclaimer: I'm the only one foolish enough to claim these opinions.
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Fri, Nov 02, 2001 at 10:00:28AM +0100, Anthony Atkielski wrote:
> However, I'd still like to know what has to be done to make SSH work for root
> logins.  The "Sorry, you are not allowed to connect" message must be coming from

in /etc/ssh/sshd_config is the line:

PermitRootLogin no

change that to yes, HUP sshd,  and it will allow root to login directly 
via ssh.

NOT RECOMMENDED.

But it's your choice, which is one of the lovely things about UNIX.

> > This requires that the user you login as is
> > in the 'wheel' group.
> 
> And if I add that user to wheel, does that open up any other holes?  Doesn't
> wheel have a lot of permissions on a lot of files?

You should investigate 'sudo' in /usr/ports/security/sudo.  It's a 
utility that will allow you to selectively grant privileges to users 
that are normally reserved for root.  The only time I ever use the root 
password is for logging in when the machine is in single user.

Have fun.

-ben

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message