Grant wrote: >>>>> an ssh config setting, in shorewall, or somewhere else? >>>>> >>>> You can: >>>> >>>> 1) use pam as described by Mike >>>> >>>> or >>>> >>>> 2) use sshd_config "AllowUsers" >>>> >>> Thanks a lot, I went with 'AllowUsers root' in sshd_config since sshd >>> is the only service running on the system. >>> >> I really would not do that. Instead create a user to log in and su to root. >> Root should not be allowed to log in - way to risky. >> > > Is the idea to put 2 passwords in the way of gaining root access? The > problem is twice as many passwords to memorize. Even if the 2 > passwords are the same, I suppose they would have to come up with the > username too which is a (thin) extra layer. > > Is that done with 'AllowUsers user'? > > - Grant > > >
I would think the point is every hacker out there knows the user root exists. They may not know the other users but they know root is there so they just script the user root and bang away at passwords and hope they get lucky. Eventually, they will get lucky if they try long enough. Think of it this way. If root is disabled, they have to figure out which user can su to root since all may not be allowed to. They also have to guess that users password. Then on top of that they have to guess the root password too. They have to get the user name, password and the root password right before they can do anything. If you allow root access, they only need the root password. Guessing one is easier than guessing three. Dale :-) :-)

