Problem with ssh connection

Matthew Dillon dillon at apollo.backplane.com
Tue Oct 24 12:32:57 PDT 2006


:/etc/ssh/sshd_config Default:
:PermitRootLogin no
:
:You shouldn't change it, but if you know what you're doing you
:can set it to yes.

    Never set it to 'yes'.  Never allow manual password entry for a root
    login, ever.  You can set it to 'without-password' which means that
    ssh will accept root logins with valid public key pairs only.

    For that matter, for anyone who is serious about security, never
    allow a passworded login (ssh or otherwise) for ANY account.  The
    password field for every single account on your machine except
    root(1) should be '*'.  Allow logins via the ssh key pairs ONLY,
    for all your accounts, and throw a password on your SSH private key
    instead.  Do not run telnetd, rlogind, or any other login service.
    Run ftp ONLY to allow anonymous ftp, NEVER for account ftp (require
    people to use sftp instead, which operates via ssh).

    (note 1): ssh does not allow root logins by default, so it is
    usually safe to have a password on your root account (or even no password
    at all, which is what I do, so I can login on the console trivially).
    Make sure you aren't running services that allow root logins.

    Here is an example:  crater.dragonflybsd.org's /etc/inetd.conf:

	ftp stream tcp nowait/99/10/2 root /usr/libexec/ftpd ftpd -l -l -A

    That's the entire inetd.conf on crater.  And the only login service I
    enable on crater (or any of my machines) is sshd with the PermitRootLogin
    config set to 'without-password' for public-key access only.

					-Matt
					Matthew Dillon 
					<dillon at xxxxxxxxxxxxx>





More information about the Users mailing list