Problem with ssh connection
Matthew Dillon
dillon at apollo.backplane.com
Tue Oct 24 12:32:57 PDT 2006
:/etc/ssh/sshd_config Default:
:PermitRootLogin no
:
:You shouldn't change it, but if you know what you're doing you
:can set it to yes.
Never set it to 'yes'. Never allow manual password entry for a root
login, ever. You can set it to 'without-password' which means that
ssh will accept root logins with valid public key pairs only.
For that matter, for anyone who is serious about security, never
allow a passworded login (ssh or otherwise) for ANY account. The
password field for every single account on your machine except
root(1) should be '*'. Allow logins via the ssh key pairs ONLY,
for all your accounts, and throw a password on your SSH private key
instead. Do not run telnetd, rlogind, or any other login service.
Run ftp ONLY to allow anonymous ftp, NEVER for account ftp (require
people to use sftp instead, which operates via ssh).
(note 1): ssh does not allow root logins by default, so it is
usually safe to have a password on your root account (or even no password
at all, which is what I do, so I can login on the console trivially).
Make sure you aren't running services that allow root logins.
Here is an example: crater.dragonflybsd.org's /etc/inetd.conf:
ftp stream tcp nowait/99/10/2 root /usr/libexec/ftpd ftpd -l -l -A
That's the entire inetd.conf on crater. And the only login service I
enable on crater (or any of my machines) is sshd with the PermitRootLogin
config set to 'without-password' for public-key access only.
-Matt
Matthew Dillon
<dillon at xxxxxxxxxxxxx>
More information about the Users
mailing list