Can't log into root with ssh

I just installed a FreeBSD server. I am able to log in with KVM using the user root and the password I set. When I try to log in with the user root with ssh it does not allow me to log in. It makes me have to log in using root@web but it wont let me log in with that user on ssh. Anybody have any ideas what is going on.
 
The default SSH configuration forbids root logins. If you really want to allow it, change #PermitRootLogin no to PermitRootLogin yes in /etc/ssh/sshd_config.

If you really want to do that, my recommendation would be to at least disable password authentication (so, require a valid key).

edit, SirDice, "bad habit", yep, in general, but for some special purpose machines, it might be adequate. I have e.g. machines only for test-building ports, they just don't need any user account...
 
If you need root login by ssh for operational reasons, the most secure way to do it is to and add the following to /etc/ssh/sshd_config:
Code:
# We need to allow root login
PermitRootLogin prohibit-password
# We want login via ssh with keys only...
PasswordAuthentication no
ChallengeResponseAuthentication no
You then need to place the public ssh key of authorised login users into ~root/.ssh/authorized_keys.

For additional security to strictly limit what may be done (e.g. to activate a root-privileged backup client) you may append command="command" to the public key. See sshd(8) for details.
 
This can be an annoying issue to resolve as the error isn't always descriptive enough and can be misleading when trying to debug as it doesn't point to the real source of the problem. It could be your packet filter, TCPWrappers & PAM, the sshd_config: syntax error and/or disabled setting(s), an incorrect keypair, a missing home directory, or a user account with a nologin shell, etc. or any combination of these.
 
alexseitsinger not really, you can quickly rule out networking issues because you will see authentication take place, so you know you successfully connected to the ssh daemon.

Nothing more can be done without weakening security. With authn/authz errors, you never tell the client details about the nature of the problem, as these could help attackers.
 
Back
Top