Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 03 Aug 2014 10:23:51 +0100
From:      Mike Clarke <jmc-freebsd2@milibyte.co.uk>
To:        freebsd-questions@freebsd.org
Cc:        "William A. Mahaffey III" <wam@hiwaay.net>
Subject:   Re: permission problems w/ ordinary user ....
Message-ID:  <2489109.sNVhnsNWVW@curlew.lan>
In-Reply-To: <53DD7B4D.90903@hiwaay.net>
References:  <53DD742F.3020408@hiwaay.net> <20140802234554.GA34503@slackbox.erewhon.home> <53DD7B4D.90903@hiwaay.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Saturday 02 August 2014 18:59:09 William A. Mahaffey III wrote:
> On 08/02/14 18:45, Roland Smith wrote:
> > On Sat, Aug 02, 2014 at 06:28:47PM -0500, William A. Mahaffey III 
wrote:

[snip]

> >> I can ssh in as root no sweat
> > 
> > Yikes. That is usually the first thing I'd disable!
> > 
> > 
> > Roland
> 
> I do that (easy root login) on purpose, my LAN is not internet
> exposed (except when I'm browsing)

You can make things a bit more secure by requiring ssh keys instead of 
a password for remote access.

Use ssh-keygen to generate your keys then append your ~/ssh/id_rsa.pub 
to /root/.ssh/authorized_keys on the machine where you need root 
access.

Then make these changes to /etc/ssh/sshd_config on the remote machine 
and restart sshd.

--- /usr/src/crypto/openssh/sshd_config 2013-01-12 13:21:39.235909173 
+0000
+++ /etc/ssh/sshd_config        2013-01-12 13:20:23.078909059 +0000
@@ -45,4 +45,5 @@
 #LoginGraceTime 2m
 #PermitRootLogin no
+PermitRootLogin without-password
 #StrictModes yes
 #MaxAuthTries 6
@@ -64,5 +65,5 @@
 
 # Change to yes to enable built-in password authentication.
-#PasswordAuthentication no
+PasswordAuthentication no
 #PermitEmptyPasswords no

NB. If you don't have physical access to the remote machine then be 
very careful not to make any mistakes which could lock you out of it. 
In particular make sure you have set up your keys and edited 
/root/.ssh/authorized_keys correctly before reconfiguring sshd. To be 
on the safe side confirm that you can make a successful remote login 
from another terminal window before closing your current remote 
session.

-- 
Mike Clarke

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2489109.sNVhnsNWVW>