@jknott said in Root SSH login?:
In the Linux world, root ssh login is generally not allowed
and
@jknott said in Root SSH login?:
The point is you don't allow root login.
Several years ago, 'root' what the user the hosting company gave you, and a password.
We were advised to change that root password asap with the password command after a first login.
These days, a new 'Debain' system (that's the OS I know), you get an 'debian' user account, and a password.
'root' can't login over SSH by default. You have to
su -
So far, all ok. Time learns us to do the same differently.
But there is an extra step that should be done and very few do it :
Shut down password logins altogether over SSH/SFTP.
A ssh-rsa 'thing' should be created with our favorite Putty ssh-gen program.
Two files are created.
The public one ( ?) has to be inserted into the admin account :
d46b7422-60ff-4922-b5a1-e8ebaa3f879f-image.png
The private one should stay on your PC, or better, USB key. Or learn it out of your head. This cert can also be generated with a password - called a pass phrase.
dac8c0b4-f52b-4437-967e-5b2a259d420a-image.png
Now, password login is done.
You need the key file (the private thing).
Putty will throw out the login user 'root' for you - set it up to do so.
It won't ask for keyboard alike passwords anymore.
It will ask the pass hrase of the cert :
11a79cd2-fc00-436e-a9a6-9c05f3f2c2d9-image.png
Enter the phrase and then your are logged in.
Now, all this doesn't change anything for the GUI login.
The good new is that pfSense isn't just some obscure device, it's your firewall and we, as admins, control and secure the firewall. Right ?!! That's why we use pfSense in the first place.
Real nerds do it like this :
The pfSense 'box' is locked up.
The LAN interface - as the console interface, are NOT connected.
All the other interfaces are used for hostile WAN and LAN clients. And now the fun part : all these clients can not use ports 80 and 443 and 22 of our firewall pfSense. You just have to create a block rule that does this. Easy !
Problem solved. No more 'root' issue.
Variant : on your LAN, only accepts traffic to port 22 - 80 - 443 TCP from your IPv4 and or IPv6 (the device you use to admin pfSense).
Or, another variant : use VPN also from LAN to login.
Or : shut down SSH access (not my advise - SSH is gold, as it also gives you SFTP which enables the real power. Still protected by a cert).
IMHO : Just to say : all this 'su' or 'sudo' is discussion is not really needed in this case.
The major week point is the GUI now - hide it as explained above.
And direct hardware (console port) access or screw driver access.