able to login as root via ssh :-(
Don Russell
fedora at drussell.dnsalias.com
Tue Aug 8 16:22:54 UTC 2006
Todd Zullinger wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Don Russell wrote:
>
>>> Why? Just curious what made you believe it was disabled by default.
>>>
>>>
>> Well.... just ignorance on my part.... but ftp doesn't allow me log
>> in as root, and I don't recall changing that setting. Call it "I
>> expected any form of remote access to be consistent in denying root
>> access". Of course they are different programs (ftp server/ssh
>> server)... and I always see messages that say "... ssh in, then su -
>> to root...." sort of implies that ssh to root directly won't work.
>> But again, abad assumption on my part. :-(
>>
>
> It's not unreasonable to assume the default would be to disable it.
> I'm sure there have been debates on what the right default should be
> among the openssh developers. I didn't mean to pick on you by asking.
> ;-)
>
No offense taken... I often ask "why did you think that" to people, not
as a criticism, but to see what they were thinking. Some times people
reach certain conclusions, but have really convoluted thinking/path to
get there. In my case, (above) I simply made a bad assumption, and
missed the (now) obvious correction.
>
>> One of these days I will learn how to do a case-insensitive search in
>> vim :-(
>> I did /root and of course it came up empty... so I figured there must
>> have been some other place...
>>
>
> Add 'set ignorecase' to ~/.vimrc to make it ignore case by default.
> You can also do this while in vim by entering that (or the shorthand
> set ic) in command mode (:). To make case sensitive again, use set
> noic.
>
Thanks for that.... I like case insensitive searches by default.... it's
very rare that I match on exact case... and it's always easy to just
"nope, find next".
> You can do something similar with less so that you'll get case
> insensitive searches in man pages, which I've found quite helpful.
> The --ignore-case (or -i) option is what you want. You can either
> alias less to less -i or export LESS="-i" (adding any other options
> you want as well.
>
That's a good idea too....
>>> You might also want to disable password based authentication and
>>> only allow a few explicit users. See PasswordAuthentication and
>>> AllowUsers in the sshd_config(5) man page.
>>>
>> That's a good idea.... I'm the only one that needs remote access....
>> and my logs are always showing people "knocking at the door"
>> sometimes hundreds a day.
>>
>
> Yep, the same bastards knock on most of our doors too. :)
>
> Yet another helpful method for stopping a lot of that is to run ssh on
> a different port.
>
I'm not a big fan of that ... I like to use standard ports for things...
to me, changing port numbers is little more than leaving the door key
under the flower pot instead of under the mat. :-) Granted, there are
approx 65000 flowerpots to choose from. :-)
If a would-be hacker is put off so easily as a port number change, they
are probably harmless anyway. :-)
>> Thanks... now, if only it wouldn't bother asking for a password when
>> the userid is 'root'.. like ftp simply denies the request right
>> there. But, at least that little door is closed now. :-)
>>
>
> It does on my system. I've set PasswordAuthentication no and
> AllowUsers myusername. Trying to ssh in as root gets me a quick
> permission denied message.
I'll check that out.... thanks.
More information about the fedora-list
mailing list