Re: About ssh login

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Mikkel L. Ellertson wrote:
Ritesh Yeole wrote:
Dear Sir,
                I want to ssh to my client ,there is sonic-firewall .

In firewall  static ip nat with server ip
Now i want to ssh it then it ask for password but when passwd put is says=
[root@ndtest ~]# ssh ultra
root@ultra's password:
Permission denied, please try again.
root@ultra's password:
Permission denied, please try again.
root@ultra's password:
Permission denied (publickey).
=================[root@ndtest ~]# ssh raisoni
root@raisoni's password:
Permission denied, please try again.
root@raisoni's password:
Permission denied, please try again.
root@raisoni's password:
Permission denied (publickey,gssapi-with-mic,password).
[root@ndtest ~]#


Plz tell me what is difference between them and how it is solved.


Thanks
Ritesh

The default sshd setup does NOT allow root to log in. It is usually a

Really?
20:01 [summer@numbat ~]$ root 172.17.0.11
The authenticity of host '172.17.0.11 (172.17.0.11)' can't be established.
RSA key fingerprint is eb:68:48:61:00:9a:24:ce:81:51:ed:d9:82:b9:92:96.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.17.0.11' (RSA) to the list of known hosts.
root@xxxxxxxxxxx's password:
Last login: Thu Jan 31 06:01:38 2008
[root@localhost ~]#

That's a freshly-installed CentOS5 box. I don't imagine the CentOS folk changed that.




bad idea to root logins from the Internet because it exposes the root account to automated cracking attempts. If you must allow root logins from the internet, at least limit it to using key pairs. If you can, also limit it to connections for a specific IP address, or range of addresses.

Rat-limiting with iptables is good. Blocking China. Japan, USA, Mexico is good if you don't live there.


As others have said, it is better to log in as a normal user, and then become root. It does not eliminate automated attacks, but it does make them harder.

I limit ssh from most of the world to five/hour. It makes it dashed hard to guess even a weak password.


--

Cheers
John

-- spambait
1aaaaaaa@xxxxxxxxxxxxxxxx  Z1aaaaaaa@xxxxxxxxxxxxxxxx
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375

You cannot reply off-list:-)

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux