Full Disclosure mailing list archives
Re: [Full-Disclosure] (Psexec on *NIX)
From: "Tyop?" <tyoptyop () gmail com>
Date: Sat, 3 Feb 2007 04:38:41 +0100
On 2/2/07, chedder1 () gmail com <chedder1 () gmail com> wrote:
On Fri, Feb 02, 2007 at 04:51:36PM +0100, Tyop? wrote:On 2/2/07, Raj Mathur <raju () linux-delhi org> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday 02 February 2007 12:08, Valdis.Kletnieks () vt edu wrote:On Fri, 02 Feb 2007 13:25:11 +0800, Eduardo Tongson said:On 2/2/07, Xavier Beaudouin <kiwi () oav net> wrote: <>Allowing direct root login even with SSH is IMHO stupid...Please elaborate why is it IYHO stupid.In environments where more than 1 person has root access, allowing direct login to root means you can't keep an audit trail of which person logged in. And if your environment only one person has root access, that's just looking for a DoS if the one person is hit by a bus.....I believe we have had this discussion before, but I'll iterate my beliefs in favour of allowing direct root access again: - - Password management is a bitch. I don't remember passwords for about half the accounts I have. Using a key-based root login, I don't need to remember those passwords either. If you take the sudo route, every user has to remember each password for each account, unless you take the deprecated route of reusing passwords (or *horrors* allow sudo without password).key-based login without passphrase is like eating cheese without bred. useless (IMHO).- - With a little bit of configuration, it's easy to figure out which key was used to login to an account; the audit trail can be managed that way. - - Managing which users have access to which root accounts is trivial this way: just add or delete their keys from .ssh/authorized_keys[2].Totally agree.... i eat cheese without bread
It's dangerous. -- Tyop? http://altmylife.blogspot.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: [Full-Disclosure] (Psexec on *NIX), (continued)
- Re: [Full-Disclosure] (Psexec on *NIX) Paul Schmehl (Feb 01)
- Re: [Full-Disclosure] (Psexec on *NIX) Xavier Beaudouin (Feb 01)
- Re: [Full-Disclosure] (Psexec on *NIX) Eduardo Tongson (Feb 01)
- Re: [Full-Disclosure] (Psexec on *NIX) Valdis . Kletnieks (Feb 01)
- Re: [Full-Disclosure] (Psexec on *NIX) Raj Mathur (Feb 02)
- Re: [Full-Disclosure] (Psexec on *NIX) Valdis . Kletnieks (Feb 02)
- Re: [Full-Disclosure] (Psexec on *NIX) Q-Ball (Feb 04)
- Re: [Full-Disclosure] (Psexec on *NIX) James Matthews (Feb 04)
- Re: [Full-Disclosure] (Psexec on *NIX) Paul Schmehl (Feb 01)
- Re: [Full-Disclosure] (Psexec on *NIX) Tyop? (Feb 02)
- Re: [Full-Disclosure] (Psexec on *NIX) chedder1 (Feb 02)
- Re: [Full-Disclosure] (Psexec on *NIX) Tyop? (Feb 02)
- Re: [Full-Disclosure] (Psexec on *NIX) Knud Erik Højgaard (Feb 03)
- Re: [Full-Disclosure] (Psexec on *NIX) Stan Bubrouski (Feb 02)
- Re: [Full-Disclosure] (Psexec on *NIX) Q-Ball (Feb 04)
- Re: [Full-Disclosure] (Psexec on *NIX) Marcello Barnaba (Feb 05)
- Re: [Full-Disclosure] (Psexec on *NIX) Siim Põder (Feb 07)