Date: Fri, 5 Oct 2001 13:40:29 -0700 (PDT) From: Matt Dillon <dillon@earth.backplane.com> To: Kutulu <kutulu@kutulu.org> Cc: Sheldon Hearn <sheldonh@starjuice.net>, stable@FreeBSD.ORG Subject: Re: Why sshd:PermitRootLogin = no ? Message-ID: <200110052040.f95KeTw84982@earth.backplane.com> References: <5.1.0.14.0.20011005120304.009f8590@127.0.0.1>
next in thread | previous in thread | raw e-mail | index | archive | help
:>Why is sshd's PermitRootLogin set to 'no' in the default installation of
:>FreeBSD?
:>
:>The security gain for a brand new installation is questionable. The
:>downside is that, when you have remote hands pressing the buttons for
:>you during the installation, an extra user has to be created by those
:>hands.
:
:Typically it is considered very insecure to allow an UID 0 user to log in
:directly, via telnet, sshd, or whatever. The issue here is that a
:malicious individual could attempt to guess and/or brute-force the root
:password.
:
:The preferred procedure is to create a non-root user who is in the wheel
:group (for *BSD specifically), and use su to become root after logon.
:
:There are a few specific cases where it may be beneficial for root to be
:allowed to log on directly, if only for a short period of time;
:unfortunately I don't know of any way to configure sshd to allow this
:during the actual install. For the most part, this default setting is
:considered a 'good thing' in terms of out-of-box security.
:
:--K
Yes, exactly so. Though I don't think it would hurt to change
the default to:
PermitRootLogin without-password
Which means that root can only login using a pre-authenticated
method such as an SSH key pair (aka ~root/.ssh/authorized_keys), or
kerberos. Passworded logins are still disallowed.
-Matt
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200110052040.f95KeTw84982>