From owner-freebsd-stable  Fri Oct  5  9: 9:28 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from pr0n.kutulu.org (pr0n.kutulu.org [151.196.107.157])
	by hub.freebsd.org (Postfix) with ESMTP id 7FF8D37B406
	for <stable@FreeBSD.ORG>; Fri,  5 Oct 2001 09:09:25 -0700 (PDT)
Received: from kutulu.kutulu.org ([64.212.128.3])
	by pr0n.kutulu.org (8.11.6/8.11.6) with ESMTP id f95G9Lh58178;
	Fri, 5 Oct 2001 12:09:22 -0400 (EDT)
	(envelope-from kutulu@kutulu.org)
Message-Id: <5.1.0.14.0.20011005120304.009f8590@127.0.0.1>
X-Sender: kutulu@127.0.0.1
X-Mailer: QUALCOMM Windows Eudora Version 5.1
Date: Fri, 05 Oct 2001 12:08:55 -0400
To: Sheldon Hearn <sheldonh@starjuice.net>
From: Kutulu <kutulu@kutulu.org>
Subject: Re: Why sshd:PermitRootLogin = no ?
Cc: stable@FreeBSD.ORG
In-Reply-To: <19436.1002297239@axl.seasidesoftware.co.za>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

At 05:53 PM 10/05/2001 +0200, Sheldon Hearn wrote:


>Why is sshd's PermitRootLogin set to 'no' in the default installation of
>FreeBSD?
>
>The security gain for a brand new installation is questionable.  The
>downside is that, when you have remote hands pressing the buttons for
>you during the installation, an extra user has to be created by those
>hands.

Typically it is considered very insecure to allow an UID 0 user to log in 
directly, via telnet, sshd, or whatever.  The issue here is that a 
malicious individual could attempt to guess and/or brute-force the root 
password.

The preferred procedure is to create a non-root user who is in the wheel 
group (for *BSD specifically), and use su to become root after logon.

There are a few specific cases where it may be beneficial for root to be 
allowed to log on directly, if only for a short period of time; 
unfortunately I don't know of any way to configure sshd to allow this 
during the actual install.  For the most part, this default setting is 
considered a 'good thing' in terms of out-of-box security.

--K


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message