port-i386: PermitRootLogin in SSHd (WAS: Re: Telnet logins)

Subject: PermitRootLogin in SSHd (WAS: Re: Telnet logins)
To: Dale Anderson <lime@lab.net>
From: Brian Seklecki <lavalamp@burghcom.com>
List: port-i386
Date: 08/19/2001 22:19:07
Dale Anderson wrote:
> 
> to enable telnet uncomment the line starting with "telnet"
> from inetd.conf - please put your ttys file back to normal!
> 
> run these two commands
> 
>                 /usr/bin/ssh-keygen -b 1024 -f /etc/ssh_host_key -N ''
>                 /usr/bin/ssh-keygen -d -f /etc/ssh_host_dsa_key -N ''
> 
> and add sshd to your system startup to enable ssh
> 
> watch my unconfigured system take shape
> 
> bash-2.04# /usr/bin/ssh-keygen -b 1024 -f /etc/ssh_host_key -N ''
> Generating RSA keys:  Key generation complete.
> Your identification has been saved in /etc/ssh_host_key.
> Your public key has been saved in /etc/ssh_host_key.pub.
> The key fingerprint is:
> 5b:36:3b:6c:3d:2f:58:b7:5a:84:29:08:94:dc:97:41 root@shit
> bash-2.04# /usr/bin/ssh-keygen -d -f /etc/ssh_host_dsa_key -N ''
> Generating DSA parameter and key.
> Your identification has been saved in /etc/ssh_host_dsa_key.
> Your public key has been saved in /etc/ssh_host_dsa_key.pub.
> The key fingerprint is:
> 9f:fb:ed:c3:cf:66:e1:3a:e0:8c:03:c0:06:84:f1:a1 root@shit
> bash-2.04# sshd
> bash-2.04# ssh localhost
> root@localhost's password:
> Last login: Sun Aug 19 15:42:24 2001 from localhost
> NetBSD 1.5 (GENERIC) #1: Sun Nov 19 21:42:11 MET 2000

Not to nitpick, but in a vacuum, you can ssh into a system as root, but
in production, you would probably never want to permit anyone to do that
(even/especically if you're using RSA/DSA key authentication).  The only
somewhat safe way I can see that implemented would be in combination
with hostname based ACLs.

In fact, I cast a vote for setting PermitRootLogin to FALSE in the
default sshd_config.

Anyone else?

--lava

> 
> Welcome to NetBSD!
> 
> Terminal type is xterm.
> We recommend creating a non-root account and using su(1) for root access.
> bash-2.04#
> 
> On Sun, 19 Aug 2001, Andy Ball wrote:
> 
> >
> > Hello!
> >
> > (running NetBSD/i386 1.5.1)
> >
> > The examples section of the ttys(5) man page gives example
> > entries for network pseudo ttys...
> >
> >   > # Network pseudo ttys -- don't enable getty
> >   > ttyp0   none    network
> >   > ttyp1   none    network off
> >
> > ...when I try the former in my /etc/ttys file, I get the
> > recurring error...
> >
> > "init: can't exec getty 'none' for port /dev/ttyp0: No such
> > file or directory"
> >
> > There is a ttyp0 file in /dev
> >
> > How can I configure this box to accept telnet logins from
> > the LAN it's connected to?
> >
> > Eventually I should probably replace telnet with ssh, but
> > that's a project for another day.  I'm trying to get the
> > basics working first.
> >
> > Regards,
> >   - Andy Ball.
> >