DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 16th December 2009
carpman carpman is offline
Shell Scout
 
Join Date: Jul 2008
Posts: 94
Default prevent root ssh access

Hello, ok i want to prevent root access via ssh over network, thing is i need to have
Code:
PermitRootLogin without-password

so need to find another method, i did find a guide that said

Code:
Edit /etc/securetty

comment out everything except for the lines

    * console
    * tty1
    * v/tty1

thing is this file is not on my freeebsd 6.3 ?

cheers
Reply With Quote
  #2   (View Single Post)  
Old 16th December 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

Why not just set PermitRootLogin no per sshd_config(5)?
Reply With Quote
  #3   (View Single Post)  
Old 16th December 2009
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 696
Default

Either you need root access via SSH, or you don't. It's a binary option.
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote
  #4   (View Single Post)  
Old 17th December 2009
carpman carpman is offline
Shell Scout
 
Join Date: Jul 2008
Posts: 94
Default

Thanks for replies, the server is running hsphere and so requires that i have
Code:
PermitRootLogin without-password
to allow CP to work, it needs root ssh at local level but i do not require or want over network which why i would like to know if can use another method other than sshd_config.

cheers
Reply With Quote
  #5   (View Single Post)  
Old 17th December 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

According to http://www.forum.psoft.net/showthread.php?t=23824 you require without-password in order for two hsphere servers to transfer data.

"without-password' means password authentication cannot be used for root sessions, hence some other authentication method must be used. According to the same link, Hsphere uses shared keys.

A properly functioning ssh(1) client will not prompt for passwords. Brute force scripts (ssh attacks) don't use real ssh clients and will submit passwords anyway, which sshd(8) will ignore, though it will tell you about them it its logs.

Choices:
  • ignore this, knowing that another valid form of authentication must be used for root access.
  • Disable sshd access via firewall from any but confirmed IP addresses of your hsphere servers
  • In combination with the firewall, above, set up a second sshd(8) daemon listening on another port, that disallows root logins. Use this other daemon for non-Hsphere ssh use.
  • If Hsphere allows non-standard ssh connection ports, set up a private sshd daemon to listen for hspehre connections on another port, and use the default port 22 daemon for everything else. Set up an appropriate firewall, allowing only hsphere servers access to this daemon.

Last edited by jggimi; 17th December 2009 at 11:02 AM.
Reply With Quote
  #6   (View Single Post)  
Old 17th December 2009
ckeeper ckeeper is offline
New User
 
Join Date: May 2008
Posts: 2
Default

you cannot change the default port for SSH for hsphere because you're going to need to change it in all script and some are compiled so you can't do it.
And if the CP can't talk to other machine its all your setup that going to stop working.

Anyway with "without-password" the guy need to have access to your machine first to generate a key to put it on his machine to after that login. Even with this option you can't log with the root password directly.

If you concern about security about your SSH, your best choice here is to add Firewall to limit access to SSH to have 1 machine behind is to accept SSH.
Reply With Quote
  #7   (View Single Post)  
Old 17th December 2009
phoenix's Avatar
phoenix phoenix is offline
Risen from the ashes
 
Join Date: May 2008
Posts: 696
Default

Quote:
Originally Posted by ckeeper View Post
Anyway with "without-password" the guy need to have access to your machine first to generate a key to put it on his machine to after that login. Even with this option you can't log with the root password directly.
You don't have to generate keys on the system you will be accessing using that key. You can generate keys on any system, even Windows using puttygen. You don't need SSH access to the system in order to put the key in place, either. You just need to be able to write to ~/.ssh/authorized_keys. Which is why .ssh/ should have permissions set to 700, so that if someone hacks the web server, gets shell access, etc, they still won't be able to write to that directory without having root access.
__________________
Freddie

Help for FreeBSD: Handbook, FAQ, man pages, mailing lists.
Reply With Quote
  #8   (View Single Post)  
Old 18th December 2009
ckeeper ckeeper is offline
New User
 
Join Date: May 2008
Posts: 2
Default

Oh yeah true, my bad, I had something else in my mind when I have write that part
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
root on ZFS gkontos FreeBSD Installation and Upgrading 12 18th December 2009 09:43 AM
ssh key access non root users carpman FreeBSD Security 7 12th August 2009 06:09 PM
Prevent users from using proxy bichumo General software and network 8 20th April 2009 01:00 PM
ssh root Nk2Network OpenBSD Security 22 8th April 2009 06:59 PM
root mail sheriff26 FreeBSD General 5 2nd July 2008 04:56 PM


All times are GMT. The time now is 10:19 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick