Howdy prevent root login with ssh and yet allowing other users to login?



  • Dont feel like having root login open, sshd_config just get´s overwriten, any ideas?

    /d


  • LAYER 8 Global Moderator

    Hmmm..  You could do public key auth only, and don't install key for the admin account which is the root account.

    Really do not understand your logic though.. This is a firewall, not some server open to the public internet with different users etc.  You don't have your ssh login open to the public internet do you?  And set to use passwords?  And not locked atleast to specific source IPs?



  • @johnpoz:

    Hmmm..  You could do public key auth only, and don't install key for the admin account which is the root account.

    Really do not understand your logic though.. This is a firewall, not some server open to the public internet with different users etc.  You don't have your ssh login open to the public internet do you?  And set to use passwords?  And not locked atleast to specific source IPs?

    I´m not running default ssh port and blocking from most ip ranges, it would be nice to have a user "sshuser1" allowed to login and set up the ssh tunneling

    so it´s not possible to disable root login and have open for "sshuser1"  to login?

    EDIT
    Similar to this
    https://forum.pfsense.org/index.php?topic=2473.0


  • Banned

    @deddric:

    blocking from most ip ranges

    You are doing it upside down. You should whitelist a bunch of allowed IPs or use a VPN. Not blacklist billions of them.



  • @doktornotor:

    @deddric:

    blocking from most ip ranges

    You are doing it upside down. You should whitelist a bunch of allowed IPs or use a VPN. Not blacklist billions of them.

    well that´s not really my setup, and it´s not what i requested help with eather, back to topic plz

    EDIT: why login with root even if you have iplists,it would still better to do that with a lower permition user


  • LAYER 8 Global Moderator

    Because what you be doing when logging in - other than root functions?  Its your firewall.. not some box to use for applications.  Its pointless to come in with some other account, just to change over to root/admin to admin the firewall.

    If you give some other account the required permissions to do the admin functions - its really no different than root ;)

    I really would not suggest that ssh even be open to the outside unless you could lock it down to specific source IPs that are in your control.  No matter what account your accessing it with.  And even so password auth not a good idea.  Limit to public key auth.

    The solution to your question has been given.  Change to public key, and do not give the admin/root (same thing in pfsense) account a public key..  Only setup key on other accounts you create.

    To remotely access your firewall you really should VPN in..

    BTW nice to see you back Dok!  Haven't seen any posts from you in some time here.  Always good to see you posting!



  • So what´s opinion on exposing webgui (other port then default) to internet?

    /d


  • Galactic Empire

    @deddric:

    So what´s opinion on exposing webgui (other port then default) to internet?

    /d

    What The Doktor prescribed :-

    @doktornotor:

    or use a VPN.

    I NAT SSH / SFTP to a Raspberry PI running FreeBSD sat in my DMZ, on the PI I'm using pf to block brute force SSH / SFTP attacks and also white list people that can connect on the WAN router.

    https://www.cyberciti.biz/faq/freebsd-openbsd-pf-stop-ftp-bruteforce-attacks/


  • LAYER 8 Global Moderator

    @deddric:

    So what´s opinion on exposing webgui (other port then default) to internet?

    Never in a million years would I do that or suggest that to anyone..  If you "must" do it then it would need to be locked to so specific source IP that is in your control.


Log in to reply