Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Full-Disclosure] (Psexec on *NIX)

From: Q-Ball <qballus () gmail com>
Date: Mon, 5 Feb 2007 11:11:08 +1100
On 2/2/07, Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> wrote:

On Fri, 02 Feb 2007 13:40:47 +0530, Raj Mathur said:

I believe we have had this discussion before, but I'll iterate my
beliefs in favour of allowing direct root access again:



- Key-based root logins are quite secure.  I don't see any reason why
key-based root login would be any less secure than permitting a user
login followed by an sudo.


It's not the security of the login itself - it's the ability to create
an audit trail of which userid performed an action.  If you can find
some other way to...



Yes ability to audit is important, and you can still retain
accountably with direct root logons depending upon configuration but
there are two major security problems
with direct root logons:
- Remote brute forcing. Personally I'd rather someone crack 2 accounts
rather than just one, but maybe that's just me ;-)
- Security should be implemented on a least privilege basis. Logging
on as root as opposed to a user, isn't always required and just
increases your window of opportunity eg. SSH channel attacks, key
loggers, brute forcing, etc.Quite often sudo should suffice for
regular tasks.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: