Talk:Security (Why FreeBSD?)
is there going to be a "how to tighten your machine" section or article? I don't mean line-by-line "here's how to setup a firewall" but stuff like changing password hashing to use blowfish rather than DES or MD5, killing the MOTD etc etc
There is if you write it, which you certainly have my blessing to do.
--Jimbo 21:14, 12 Sep 2004 (GMT)
Stupid and wrong argumentation for dissalowing root login via ssh
While we agree on the conclusion, that root login should not be allowed by default, the argument given in the previous section is FUD, wrong, void and makes me wonder if one can trust what else is said about BSD. To use John the Ripper you need read access to /etc/password and /etc/shadow, where all modern linux´s keep the encrypted passwords. You need to be root to read /etc/shadow as it is always installed 0600 uid root. So if you can read /etc/shadow you already have root access, which means you have no reason to run the john, as you know the root password already.
The reason not to allow root login is simple. You want the root´ing people to authenticate as an ordinary user first, in order to track the su´ing people down in the logs (assuming they do not remove themselves from the logfiles ...).
You can't attempt to crack the hashes directly when root login is allowed, but you CAN attempt a brute-force or dictionary attack against the root account using an SSH plugin. If root login isn't allowed, you can't do that, because you first need to know the name of an account that is a member of the wheel group, THEN you need to know its password, THEN you need to find the password for root. The original argument stands; you simply misinterpreted it.
--Jimbo 23:40, 4 Dec 2004 (EST)
day late and a dollar short
but also worth pointing out that BSD does not use /etc/shadow & /etc/passwd -- it uses /etc/passwd and /etc/master.passwd in their place (the PAM controls are different as well, I think, but I haven't looked into it enough.)
--Dave 19:02, 10 Mar 2005 (EST)