DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD Security

FreeBSD Security Securing FreeBSD.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 7th May 2008
Johnny2Bad Johnny2Bad is offline
Port Guard
 
Join Date: May 2008
Posts: 21
Thanked 0 Times in 0 Posts
Lightbulb I know this is bad practise but...

Hi,
my freeBSD 7.0 box is not connected to the internet (yet) and I would still like to telnet as root to it while I build it up and muck around. When I attempt to login at root from my PC, I get refused access. Is there anyway I can change the configuration on my FreeBSD box so I can telnet to it as root?

Thanks,
Jonathan.
Reply With Quote
  #2   (View Single Post)  
Old 7th May 2008
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Old man from scene 24
 
Join Date: Apr 2008
Location: Eindhoven, Netherlands
Posts: 2,068
Thanked 198 Times in 156 Posts
Default

Why not use ssh?
It's just as easy (Maybe even easier) to setup as telnet.

If you want to permit the root user to login, edit /etc/ssh/sshd_config and change this line:
Code:
#PermitRootLogin no
to:
Code:
PermitRootLogin yes
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.

Last edited by Carpetsmoker; 7th May 2008 at 11:50 AM. Reason: ugh, fix
Reply With Quote
  #3   (View Single Post)  
Old 7th May 2008
RandomSF RandomSF is offline
Port Guard
 
Join Date: May 2008
Location: Hartland, WI, USA
Posts: 13
Thanked 0 Times in 0 Posts
Default

Carpetsmoker, do you mean to comment that line?
Reply With Quote
  #4   (View Single Post)  
Old 7th May 2008
mtx's Avatar
mtx mtx is offline
Real Name: Valentin Bud
Fdisk Soldier
 
Join Date: May 2008
Location: RO/TM
Posts: 79
Thanked 5 Times in 3 Posts
Default

... and of course reload sshd
Code:
# /etc/rc.d/sshd reload
all the best,
v
__________________
Stop! think! ... the problem is somewhere between the monitor and chair...
"First they ignore you, then they laugh at you, then they fight you, then you win." Gandhi
links: spreadbsd syk
Reply With Quote
  #5   (View Single Post)  
Old 7th May 2008
18Googol2's Avatar
18Googol2 18Googol2 is offline
Real Name: whoami
Spam Deminer
 
Join Date: Apr 2008
Location: pwd
Posts: 283
Thanked 20 Times in 18 Posts
Default

I cant think of any good reason why you use telnet instead of ssh. May I know why?

And yes, remote connect as root is not just bad practice but uneducated. You should connect as normal user and use "sudo" in the remote box
Reply With Quote
  #6   (View Single Post)  
Old 7th May 2008
Johnny2Bad Johnny2Bad is offline
Port Guard
 
Join Date: May 2008
Posts: 21
Thanked 0 Times in 0 Posts
Default

I was not using ssh because when I first tried it, it didn't work, even for other accounts. Now I have a decent telnet client that has an ssh option and it does work.

I also have looked at the sshd_config and there is no PermitRootLogin option. I put it in anyway and the machine still wont accept login from root remotly.

I might check out sudo and get back to you guys.

Cheers,
Jonathan.
Reply With Quote
  #7   (View Single Post)  
Old 7th May 2008
keithlybsd keithlybsd is offline
Port Guard
 
Join Date: May 2008
Posts: 10
Thanked 0 Times in 0 Posts
Default

even if you don't use sudo

just ssh as a normal user, then elevate your privileges once you login (su -).

This is not the best practice, but much better than sshing as root.

Then get sudo installed, and put yourself in the wheel group.
Reply With Quote
  #8   (View Single Post)  
Old 7th May 2008
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,142
Thanked 182 Times in 149 Posts
Default

Quote:
Originally Posted by RandomSF View Post
Carpetsmoker, do you mean to comment that line?
No you have to uncomment that line ; )
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #9   (View Single Post)  
Old 7th May 2008
RandomSF RandomSF is offline
Port Guard
 
Join Date: May 2008
Location: Hartland, WI, USA
Posts: 13
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by J65nko View Post
No you have to uncomment that line ; )
Yes, now that he has edited his post it's more like it.
Reply With Quote
Old 12th May 2008
protologic protologic is offline
New User
 
Join Date: May 2008
Posts: 5
Thanked 1 Time in 1 Post
Default

Quote:
Originally Posted by Carpetsmoker View Post
Why not use ssh?
It's just as easy (Maybe even easier) to setup as telnet.

If you want to permit the root user to login, edit /etc/ssh/sshd_config and change this line:
Code:
#PermitRootLogin no
to:
Code:
PermitRootLogin yes
It might be easier to add the following to /etc/rc.conf instead of modifying /etc/ssh/sshd_config:

Code:
sshd_enable="YES"
sshd_flags="-oPermitRootLogin=yes"
This way you can keep your /etc/ssh files at their defaults (and easily replaced via mergemaster during an upgrade) and keep configuration options in /etc/rc.conf.
Reply With Quote
Old 12th May 2008
18Googol2's Avatar
18Googol2 18Googol2 is offline
Real Name: whoami
Spam Deminer
 
Join Date: Apr 2008
Location: pwd
Posts: 283
Thanked 20 Times in 18 Posts
Default

Quote:
It might be easier to add the following to /etc/rc.conf instead of modifying /etc/ssh/sshd_config:

Code:
sshd_enable="YES"
sshd_flags="-oPermitRootLogin=yes"
But then you need to reboot the server, which is another bad practice
__________________
The power of plain text? It can control an entire OS
Reply With Quote
Old 12th May 2008
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Old man from scene 24
 
Join Date: Apr 2008
Location: Eindhoven, Netherlands
Posts: 2,068
Thanked 198 Times in 156 Posts
Default

sh /etc/rc.d/sshd restart

Nice tip protologic.
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
Old 12th May 2008
Oliver_H's Avatar
Oliver_H Oliver_H is offline
Real Name: Oliver Herold
UNIX lover
 
Join Date: May 2008
Location: Germany
Posts: 429
Thanked 26 Times in 22 Posts
Default

Quote:
Originally Posted by 18Googol2 View Post
I cant think of any good reason why you use telnet instead of ssh. May I know why?

And yes, remote connect as root is not just bad practice but uneducated. You should connect as normal user and use "sudo" in the remote box
Tradition. We're using telnet and ssh on the campus since years, don't ask me why
Reply With Quote
Old 12th May 2008
schrodinger's Avatar
schrodinger schrodinger is offline
Fdisk Soldier
 
Join Date: May 2008
Location: Ireland
Posts: 69
Thanked 2 Times in 2 Posts
Default

Quote:
Originally Posted by 18Googol2 View Post
But then you need to reboot the server, which is another bad practice
Does restarting sshd from /etc/rc.d/sshd restart not read in those flag options?
__________________
It was a new day yesterday, but it's an old day now.
Reply With Quote
Old 12th May 2008
stukov's Avatar
stukov stukov is offline
Real Name: Jean-Michel Philippon-Nadeau
Package Pilot
 
Join Date: May 2008
Location: Sherbrooke, Qc, Canada
Posts: 167
Thanked 6 Times in 6 Posts
Default

Quote:
Originally Posted by schrodinger View Post
Does restarting sshd from /etc/rc.d/sshd restart not read in those flag options?
Yes it does. From the man:
Quote:
The purpose of rc.conf is not to run commands or perform system startup
actions directly. Instead, it is included by the various generic startup
scripts in /etc which conditionalize their internal actions according to
the settings found there.
__________________
"Any intelligent fool can make things bigger, more complex, and more violent. It takes a touch of genius -- and a lot of courage -- to move in the opposite direction."
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 12:35 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick