Date: Fri, 05 Oct 2001 12:08:55 -0400 From: Kutulu <kutulu@kutulu.org> To: Sheldon Hearn <sheldonh@starjuice.net> Cc: stable@FreeBSD.ORG Subject: Re: Why sshd:PermitRootLogin = no ? Message-ID: <5.1.0.14.0.20011005120304.009f8590@127.0.0.1> In-Reply-To: <19436.1002297239@axl.seasidesoftware.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
At 05:53 PM 10/05/2001 +0200, Sheldon Hearn wrote: >Why is sshd's PermitRootLogin set to 'no' in the default installation of >FreeBSD? > >The security gain for a brand new installation is questionable. The >downside is that, when you have remote hands pressing the buttons for >you during the installation, an extra user has to be created by those >hands. Typically it is considered very insecure to allow an UID 0 user to log in directly, via telnet, sshd, or whatever. The issue here is that a malicious individual could attempt to guess and/or brute-force the root password. The preferred procedure is to create a non-root user who is in the wheel group (for *BSD specifically), and use su to become root after logon. There are a few specific cases where it may be beneficial for root to be allowed to log on directly, if only for a short period of time; unfortunately I don't know of any way to configure sshd to allow this during the actual install. For the most part, this default setting is considered a 'good thing' in terms of out-of-box security. --K To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.0.14.0.20011005120304.009f8590>