Really quick question here. (I'm currently at work and been having a hard time finding the answer...hehe)

Real quickly, i've setup a FreeBSD 4.5 box and now im trying to SSH to the box. Problem is that when I try and SSH, I log in as root, then enter the password. It comes back with "Permission Denied."

Now, if I setup a monitor and keyboard to the box, I can log right in with ROOT and the correct password. I've tried resetting the password, reboot the box, all to no avail.

Anyone have suggestions on where to start here?

Thanks

Tarballed

edit /etc/ssh/sshd_config
and change the line that says Permit root logon from no to yes then just
run "ps ax | grep sshd" followed by " kill -HUP <processnumber>"

login and you're golden.

run "ps ax | grep sshd" followed by " kill -HUP <processnumber>"


nitpicking...

since it can be confusing sorting through ps ax|grep sshd (ok, less so since advent of privsep)...
kill -HUP `cat /var/run/sshd.pid`
or if you need to be ultra sure verify first (like when logged in remotely cross country)...
ps -up `cat /var/run/sshd.pid`
kill -HUP `cat /var/run/sshd.pid`

same applies to various other services...

Showoff! :lol:

Woot! Woot!

Worked like a charm. I had a pretty good feeling that the problem I was having was due to FreeBSD not allowing a remote root login. At the time, I was at work and was setting up a FreeBSD server. I was pressed for time and did not really have a chance to search for the answer. I posted in desperation. :oops: Normally, I would try and research the problem and then post. I learn better that way. :)

Thanks again guys.

Tarballed

I'm surprised no had this reply.

There is several good reasons why root isn't allowed to login via ssh and it really should be left that way for improved security.

Good practices would be to use su or even better sudo for things that need root access and login as an unprivleged user. There are several attacks against remote machines that can be used on you if you login as root that would not be possible if you logged in as an unprivleged user.

The less code being run as root, the more secure your system can be.

I have seen a box compromised (not *BSD but could have been) when the admin always logged in as root. He used Gnome and so a LOT of programs were running as root. It looked like the attacker went after X but may have gotten some help from a buffer overflow from something running with Gnome (maybe not though). Most of this had to be pieced together from IDS logs, syslog, etc. since the system was messed up pretty bad.

I'm not telling you that you have to do this but strongly recommend it for your piece of mind that you are doing all you can to secure your box.

Hmmm.... Of course there are always reasons to login as root, particularly if a the box has no other user accounts.

I.E. I have a firewall. It allows ssh connections to the internal interface only and pf is configured to only accept incoming connections to port 22 from a single address at that.

Not to mention I believe tarballed was only looking for a way to configure a server on his own personal home net. As the box is not public and since he has an external firewall (thus the box on the inside protected) I see no reason why this is an issue. Particularly since he was only looking to do this temporarily. There are several other threads tarballed started that relate to this one in particular.

Anyways, just my thoughts. :)

Hmmm.... Of course there are always reasons to login as root, particularly if a the box has no other user accounts.

then other accounts should be created!

Strog has a great point which should have been mentioned before- what was i thinking?!?!

i can't really think of any circumstance i've encountered that needed me to ssh in as root, and cant think of any machines i have that allow root logins (i better go doublecheck that now...). one really good benefit of no logging in as root (in a multi-admin scenario) is accountability - you know who it is logged in as root (even better with sudo). if you're the only user then using separate accounts helps reinforce best practices (as well as the security benefits Strog mentioned).

then other accounts should be created!

Look I don't disagree that on a public box that allows ssh from off the inet that an operator account should be created. I do that here on this box.

I also just for the record, don't think this is a bad idea at all. I'm in agreeance with it.

On my home net however, which sits behind an invisible bridge, a firewall, an IDS system, a counter-measures system and a file integrity checking system, I see no need why my box that serves internal DNS needs to have another account on it. I think I'm paranoid enough. I also don't think anyone's getting by my exterior defenses @home. Maybe you can show me that I'm wrong. I'll gladly give you my IP at home if you'd like.

On another note when you're first setting up a box, perhaps you just haven't gotten around to setting up other accounts yet. Perhaps you work in a shop that has yp, you haven't gotten to the point of binding the box in yet. Allbeit you can argue that should be done first. Again, I'm not disagreeing with either of you here, certainly since ssh has had more than it's share of problems over the past 2.5 years.

I also do seem to remember tarballed saying that he was only looking to do that temporarily. I forget why, I could be wrong, it wouldn't be the first time. Perhaps he could settle that. I just seem to remember a precursor to this post both here in the forums and in conversation on irc.

Anyways, that's what I think. :)

I used to be the Network Administrator at a 600 million dollar bank (not big as banks go but 15 locations in a 250 mile radius) and we tried to protect every system on every conceivable level we could. Good network security is layers upon layers. Networks are like onions and not parfaits 8) .

We had Unisys come in and do a thorough network scan for $22k. They just hit the servers and a dozen semi-random workstations. They came back with a 400 page report of the potential problems and holes. I'd recomend that you download nessus (http://www.nessus.org) for free and get 98% of the same results. It can open your eyes to thing you weren't even aware of.

All that said, old habits are hard to break and you are right about this all being overkill in a home network. Thank goodness you are using a firewall and using ssh instead of telnet behind the firewall. I wouldn't worry too much about a home network if you have taken reasonable steps not to do the obvious blunders i.e (sharing the root filesystem with rw to guest account, null passwords, etc.)

I can give you elmore's IP right now if you want. It's 127.0.0.1. Hit it real hard!!! :shock: .

Agreed

Yup nessus is a great tool. I have used it plenty.

You could always compromise on the security issue.

You can edit the sudoers file and setup a local user or group to be able to sudo without a password. This way you are only running as root when type "sudo command" and not all the time when you su and stay there. If someone logs on as a regular user then immediately su's and stays there until they log out, it is only marginally better than logging in as root. It does stop a couple root attacks that depends on root logging directly in to ssh so it is somewhat better.

The sudo options are better because you only use it as much as you need it and limit your exposure to system compromises.

I'm just throwing it all out there. You decide how much balance you want between good security practices and convenience. I doubt you will be very happy if you went to either extreme of the issue.

Thank goodness you are using a firewall and using ssh instead of telnet behind the firewall.

OMFG... is telnet bad? Gee, I'm sure glad I use rlogin. That's a secure protocol that one. And root logins... sure... why not? Heck, I like a blank root password... typing can be so damned tedious!

rlogin to my server is great. Only trouble I have with that is sometimes my CPU gets just swamped... seems related to sendmail, least that's what top shows. I looked at my maillog but it's gotta be wrong, I mean, I sure as heck haven't sent 1 trillion mails to people I don't know and I sure as heck wouldn't have sent them as sexyteenslutslicklots@hotmail.com. Funny thing that!!! I also have trouble with my discs filling up. I host some anon ftp for some friends but I don't know why they keep putting things like M$Office_with_serial.rar on there. And besides having to redo my webpage every now and then (something gets corrupted somewhere I guess and the pages sometimes turn up as "U b33n h4x4d" or similar???) the thing just hums along beautifully!

Oh yeah, I'm not afraid, my IP is 207.46.134.222

:lol:

too much man, you are hilarious! :lol:

too much man, you are hilarious!

Thought you could use a laugh elmore :D

I agree with all points of course! root login is bad in most scenarios! I trust everyone is familiar with the silly "toor" account in FreeBSD? Interesting concept... not sure I like it though.