DragonFly BSD
DragonFly users List (threaded) for 2006-10
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: Problem with ssh connection

From: Matthew Dillon <dillon@xxxxxxxxxxxxxxxxxxxx>
Date: Tue, 24 Oct 2006 12:28:14 -0700 (PDT)

:/etc/ssh/sshd_config Default:
:PermitRootLogin no
:You shouldn't change it, but if you know what you're doing you
:can set it to yes.

    Never set it to 'yes'.  Never allow manual password entry for a root
    login, ever.  You can set it to 'without-password' which means that
    ssh will accept root logins with valid public key pairs only.

    For that matter, for anyone who is serious about security, never
    allow a passworded login (ssh or otherwise) for ANY account.  The
    password field for every single account on your machine except
    root(1) should be '*'.  Allow logins via the ssh key pairs ONLY,
    for all your accounts, and throw a password on your SSH private key
    instead.  Do not run telnetd, rlogind, or any other login service.
    Run ftp ONLY to allow anonymous ftp, NEVER for account ftp (require
    people to use sftp instead, which operates via ssh).

    (note 1): ssh does not allow root logins by default, so it is
    usually safe to have a password on your root account (or even no password
    at all, which is what I do, so I can login on the console trivially).
    Make sure you aren't running services that allow root logins.

    Here is an example:  crater.dragonflybsd.org's /etc/inetd.conf:

	ftp stream tcp nowait/99/10/2 root /usr/libexec/ftpd ftpd -l -l -A

    That's the entire inetd.conf on crater.  And the only login service I
    enable on crater (or any of my machines) is sshd with the PermitRootLogin
    config set to 'without-password' for public-key access only.

					Matthew Dillon 

[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]