RE: Is SSH worth it??

["Mark Stunnenberg" <marksg () x-life nl>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Authenticating locally? how's that going to happen?
you still need a password to get root xs .. or else some sort of
'prove' to give the box that you are allowed to have root ..

I think that in any other way the root passstill goes over the line..

- ----
> SELECT * FROM users WHERE clue > 0;
0 rows returned

- -----Original Message-----
From: Chris Berry [mailto:compjma () hotmail com]
Sent: Wednesday, October 16, 2002 03:08 AM
To: security-basics () securityfocus com
Subject: Re: Is SSH worth it??


> From: Johan De Meersman <johan () ops skynet be>
> > > I don't think it's ever a good idea to allow root ssh to any
> > > machine
> > Why not?  Also, how are you going to remote administer it without
> > some  sort of control SSH, VNC, etc?
> Because the first shell exploit or key theft will give root access
> instead  of low-user access. Remote control is achieved by ssh-ing
> as low-user, and  then su-ing to root, thereby doubling the work
> involved in rooting the box.  You still need decent passphrases on
> both your keys and your root account,  of course. You can also allow
> root ssh from localhost only, adding a tiny  bit more security still
> by not su-ing but ssh-ing to root.

Doesn't this actually lower your securtiy by requiring you to
transmit you
password when you do the SU command, rather than authenticating
locally?

Chris Berry
compjma () hotmail com
Systems Administrator
JM Associates

"I have found the way, and the way is Perl."


_________________________________________________________________
Surf the Web without missing calls! Get MSN Broadband.
http://resourcecenter.msn.com/access/plans/freeactivation.asp


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.4

iQA/AwUBPa3CBR5k6aFnw1S9EQKzNwCgiMobjuMtnla4NmM3cZXDBGjoRAoAoIIU
bTrlTzLBHhm/LNYzpJGYyp/S
=wM0s
-----END PGP SIGNATURE-----