Re: Is SSH worth it??

[Johan De Meersman <johan () ops skynet be>]

Chris Berry wrote:

> > From: Johan De Meersman <johan () ops skynet be>
> >
> > > > I don't think it's ever a good idea to allow root ssh to any machine
> > >
> > > Why not?  Also, how are you going to remote administer it without
> > > some sort of control SSH, VNC, etc?
> >
> > Because the first shell exploit or key theft will give root access
> > instead of low-user access. Remote control is achieved by ssh-ing as
> > low-user, and then su-ing to root, thereby doubling the work involved
> > in rooting the box. You still need decent passphrases on both your
> > keys and your root account, of course. You can also allow root ssh
> > from localhost only, adding a tiny bit more security still by not
> > su-ing but ssh-ing to root.
>
>
> Doesn't this actually lower your securtiy by requiring you to transmit
> you password when you do the SU command, rather than authenticating
> locally?

No, because traffic to localhost (127.0.0.1) doesn't actually pass the
network, and all ssh-packets are encrypted, even those before
authentication. The (minimal) added security is in the fact that you
never have to enter the actual root password, so even if an intruder
were to gain physical access, they still have some work to do before
they get root. On the other hand, physical access doesn't require one to
have root to kill the box :)

> Chris Berry
> compjma () hotmail com
> Systems Administrator
> JM Associates
>
> "I have found the way, and the way is Perl."
>
>
> _________________________________________________________________
> Surf the Web without missing calls! Get MSN Broadband. 
> http://resourcecenter.msn.com/access/plans/freeactivation.asp



-- 
Public GPG key at blackhole.pca.dfn.de .

Attachment: _bin
Description: