Security Basics mailing list archives
RE: Is SSH worth it??
From: "Mark Stunnenberg" <marksg () x-life nl>
Date: Wed, 16 Oct 2002 21:46:13 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Authenticating locally? how's that going to happen? you still need a password to get root xs .. or else some sort of 'prove' to give the box that you are allowed to have root .. I think that in any other way the root passstill goes over the line.. - ----
SELECT * FROM users WHERE clue > 0;
0 rows returned - -----Original Message----- From: Chris Berry [mailto:compjma () hotmail com] Sent: Wednesday, October 16, 2002 03:08 AM To: security-basics () securityfocus com Subject: Re: Is SSH worth it??
From: Johan De Meersman <johan () ops skynet be>I don't think it's ever a good idea to allow root ssh to any machineWhy not? Also, how are you going to remote administer it without some sort of control SSH, VNC, etc?Because the first shell exploit or key theft will give root access instead of low-user access. Remote control is achieved by ssh-ing as low-user, and then su-ing to root, thereby doubling the work involved in rooting the box. You still need decent passphrases on both your keys and your root account, of course. You can also allow root ssh from localhost only, adding a tiny bit more security still by not su-ing but ssh-ing to root.
Doesn't this actually lower your securtiy by requiring you to transmit you password when you do the SU command, rather than authenticating locally? Chris Berry compjma () hotmail com Systems Administrator JM Associates "I have found the way, and the way is Perl." _________________________________________________________________ Surf the Web without missing calls! Get MSN Broadband. http://resourcecenter.msn.com/access/plans/freeactivation.asp -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPa3CBR5k6aFnw1S9EQKzNwCgiMobjuMtnla4NmM3cZXDBGjoRAoAoIIU bTrlTzLBHhm/LNYzpJGYyp/S =wM0s -----END PGP SIGNATURE-----
Current thread:
- Re: Is SSH worth it??, (continued)
- Re: Is SSH worth it?? David Corking (Oct 17)
- Re: Is SSH worth it?? Johan De Meersman (Oct 18)
- Re: Is SSH worth it?? David Corking (Oct 21)
- Re: Is SSH worth it?? Richard Caley (Oct 21)
- Re: Is SSH worth it?? David Corking (Oct 17)
- Re: Is SSH worth it?? David Corking (Oct 16)
- RE: Is SSH worth it?? Chris Santerre (Oct 16)
- Re: Is SSH worth it?? Devdas Bhagat (Oct 17)
- Re: Is SSH worth it?? David Corking (Oct 17)
- Re: Is SSH worth it?? Johan De Meersman (Oct 17)
- Re: Is SSH worth it?? Chris Berry (Oct 16)
- RE: Is SSH worth it?? Mark Stunnenberg (Oct 17)
- Re: Is SSH worth it?? Johan De Meersman (Oct 17)
- RE: Is SSH worth it?? Chris Berry (Oct 17)