From nobody Mon Jan 29 14:15:19 2024
X-Original-To: questions@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TNr1H0QjZz58nc2
	for <questions@mlmmj.nyi.freebsd.org>; Mon, 29 Jan 2024 14:15:31 +0000 (UTC)
	(envelope-from matthew@FreeBSD.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4TNr1G72vtz4TH1
	for <questions@freebsd.org>; Mon, 29 Jan 2024 14:15:30 +0000 (UTC)
	(envelope-from matthew@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1706537731;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=nWXz7vCK2dPzeTH5XPLSOwyH0IZ4+MjgSX3dwWZup0g=;
	b=IeQ79H0fWND+/+m1PfBueK7562OsBC6fA7jnfMbB+5RwqrYzM3fS5+PReW2IWVY/HkT7ub
	35O1AeefefkMn+v4SUKI748KDsSbF+FuPjrj5djerayP90CpdO/IcIvlLHoYZFKdVPD+uN
	3qUz18MQ7hcp8wPv+k9r5Pma9FZA2TFbKk+yrMms3JnLuggVgY397MPNlt7wwCKH98UWGP
	/T9WnI78JStnbwCw9SCFnpTbEXmfO+u41LURrM96IRzWBiGQEFEjTFkxUd/2oZZCznSNgw
	HkaOshIPeRFKCwefldhhU/3G42I56w3OfWt0aio+kUdmdLbwPTTzg4jbpxIAeg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1706537731;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=nWXz7vCK2dPzeTH5XPLSOwyH0IZ4+MjgSX3dwWZup0g=;
	b=beBaPV7oRxqTDjxpxzKhS2HtSMw0rWDZWXfvMydhxOQwvjoUGELU7i4yZjhnuKLM4KDawl
	f7BL/96qWurPUzbXKEMChpcQViy1DnDK9QRRZqPOeWweJFU2H5XdvHpUSzODiuP8enNcRy
	dX8l7gPIUYZg2ka0ZMw2WKmDiFntWpw8GvIVdUCr7JCwd9OMVRXjPtA/X6xOMOzOVrfVWJ
	PtDL4j24RZKeSZoO1jF4DkhXmK6tM16Kkhlg6tz+1NU0TDKIJ4qRWYLm6aH7cFZfLGXFvh
	Tp+hohUtZM40yNqX4fyBh7QQakk6S3h+jBSHkAMkMhkDhfH72XUb+CoPcjxqpw==
ARC-Authentication-Results: i=1;
	smtp.infracaninophile.co.uk;
	dmarc=fail (p=none dis=none) header.from=FreeBSD.org
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1706537731; a=rsa-sha256; cv=none;
	b=B7NX7Q+kD1rQbvkYN7G2qx7IfYHt9fp8E1XEmnWgRbFOmWRoqlr/n9W0zmNVhjQoG27uQ4
	I/i0T+Im6My+Igq6Y6rnjVOQmgZFxtvsky+0EwYV3w+fDtrKT3hUaQdYfKZOItNQRn4ywA
	G0tL2UDkXXmQ4/4Q1CNqRS+aGg5pds57FLuc1z26Fr2COmbCFCA82PebgQP1gbECiXah4D
	g7k1jQjTCiL5SUOLeXJHScZOZxsWTs7I9/twNTd8su2SP/UFOl6ZPhXz4mkFBwOJF20Yyu
	7ZuYncoGFfTTO8bQMLNns71/+aao3i9nLMaGCSGdwtceNVBS261gXnW+RqdjlA==
Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.117.100])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	(Authenticated sender: matthew/mail)
	by smtp.freebsd.org (Postfix) with ESMTPSA id 4TNr1G57rrz1CvZ
	for <questions@freebsd.org>; Mon, 29 Jan 2024 14:15:30 +0000 (UTC)
	(envelope-from matthew@FreeBSD.org)
Received: from [IPV6:2001:8b0:151:1:bdf3:d5c:b59a:68f5] (unknown [IPv6:2001:8b0:151:1:bdf3:d5c:b59a:68f5])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature ECDSA (prime256v1) server-digest SHA256)
	(No client certificate requested)
	(Authenticated sender: m.seaman@infracaninophile.co.uk)
	by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id B11A216663
	for <questions@freebsd.org>; Mon, 29 Jan 2024 14:15:27 +0000 (GMT)
Authentication-Results: smtp.infracaninophile.co.uk; dmarc=fail (p=none dis=none) header.from=FreeBSD.org
Message-ID: <4f60fad9-c5b1-46ea-bfbf-7e654bd5d3d1@FreeBSD.org>
Date: Mon, 29 Jan 2024 14:15:19 +0000
List-Id: User questions <freebsd-questions.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-questions
List-Help: <mailto:questions+help@freebsd.org>
List-Post: <mailto:questions@freebsd.org>
List-Subscribe: <mailto:questions+subscribe@freebsd.org>
List-Unsubscribe: <mailto:questions+unsubscribe@freebsd.org>
Sender: owner-freebsd-questions@freebsd.org
X-BeenThere: freebsd-questions@freebsd.org
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Subject: Re: Enabling SSHD
To: questions@freebsd.org
References: <20240129125745.fuh6nnc4dooto2oz@yosemite.mars.lan>
 <CPja5CJLsYzkPuo_qd5lnJuUj6lBBCW2uHo3NcbFubhGSKa2gNEu0ETvjZSAwI_-rQFuVvUJR2s10xbz40uL17k1lpLSCiz8azHd77S9LK8=@proton.me>
 <BHs6axVCDQRUWc9O5KLVIF5b9tVo_qUIXZfJ3ASj6U-6sfJKBhcSrOn_VWfYfrxOQyFSEZKLjQuHbBKJ57NuwR-jAl7kDRYp7ix7bDVgCfk=@proton.me>
 <20240129134722.fbwrvamdf2wx4vik@yosemite.mars.lan>
Content-Language: en-GB
From: Matthew Seaman <matthew@FreeBSD.org>
In-Reply-To: <20240129134722.fbwrvamdf2wx4vik@yosemite.mars.lan>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

On 29/01/2024 13:47, Paul M Foster wrote:
> I certainly hope this is not the case. I've been running Linux for 30
> years, and am looking to transition to FreeBSD. If passwords are prohibited
> for SSH access, that would be a major reason for me not to pursue FreeBSD
> any further. FWIW, I disagree with the current fad of believing that
> passwords should be eliminated for everything. I believe passwords,
> properly implemented, are more than adequate for normal security. If you're
> trying to secure NSA servers or something, by all means eliminate
> passwords in favor of hardware keys or the like.

Passwords are not prohibited for SSH access.  The default configuration 
supplied with a basic install of FreeBSD doesn't turn password access on 
for root by default, because we know that many people will just use the 
"out of the box" configuration, so it is set to be as secure as feasible.

However this is FreeBSD.  We have a saying around here: "tools, not 
policy" -- meaning that, yes, the system comes with ssh, but it's 
entirely up to you how to configure it.  If you want password based auth 
for sshd, then go ahead and edit /etc/ssh/sshd_config and/or /etc/pam.d 
entries, as appropriate.

In fact, in general, if you install any software that requires 
configuration files to be set up, don't assume you're going to get to 
get anything like a working configuration directly from `pkg install`. 
You might get something immediately usable, sometimes, but you can't 
rely on that happening.

Likewise, don't expect daemon processes to be automatically enabled and 
started up as a result of `pkg install`.

On FreeBSD, those are deliberately separate steps that you, as the 
admin, are expected make intentionally.  It's maybe not as convenient 
for a more casual user, but it plays much better with automated 
configuration tools like Ansible, and if you're working at scale with 
whole clusters of machines.

	Cheers,

	Matthew