Full Disclosure mailing list archives
Re: [Full-Disclosure] (Psexec on *NIX)
From: Q-Ball <qballus () gmail com>
Date: Mon, 5 Feb 2007 11:11:08 +1100
On 2/2/07, Valdis.Kletnieks () vt edu <Valdis.Kletnieks () vt edu> wrote:
On Fri, 02 Feb 2007 13:40:47 +0530, Raj Mathur said:I believe we have had this discussion before, but I'll iterate my beliefs in favour of allowing direct root access again:- Key-based root logins are quite secure. I don't see any reason why key-based root login would be any less secure than permitting a user login followed by an sudo.It's not the security of the login itself - it's the ability to create an audit trail of which userid performed an action. If you can find some other way to...
Yes ability to audit is important, and you can still retain accountably with direct root logons depending upon configuration but there are two major security problems with direct root logons: - Remote brute forcing. Personally I'd rather someone crack 2 accounts rather than just one, but maybe that's just me ;-) - Security should be implemented on a least privilege basis. Logging on as root as opposed to a user, isn't always required and just increases your window of opportunity eg. SSH channel attacks, key loggers, brute forcing, etc.Quite often sudo should suffice for regular tasks. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [Full-Disclosure] (Psexec on *NIX) Gianluca Giacometti (Feb 01)
- Re: [Full-Disclosure] (Psexec on *NIX) Knud Erik Højgaard (Feb 01)
- Re: [Full-Disclosure] (Psexec on *NIX) Paul Schmehl (Feb 01)
- Re: [Full-Disclosure] (Psexec on *NIX) Xavier Beaudouin (Feb 01)
- Re: [Full-Disclosure] (Psexec on *NIX) Eduardo Tongson (Feb 01)
- Re: [Full-Disclosure] (Psexec on *NIX) Valdis . Kletnieks (Feb 01)
- Re: [Full-Disclosure] (Psexec on *NIX) Raj Mathur (Feb 02)
- Re: [Full-Disclosure] (Psexec on *NIX) Valdis . Kletnieks (Feb 02)
- Re: [Full-Disclosure] (Psexec on *NIX) Q-Ball (Feb 04)
- Re: [Full-Disclosure] (Psexec on *NIX) James Matthews (Feb 04)
- Re: [Full-Disclosure] (Psexec on *NIX) Paul Schmehl (Feb 01)
- Re: [Full-Disclosure] (Psexec on *NIX) Tyop? (Feb 02)
- Re: [Full-Disclosure] (Psexec on *NIX) chedder1 (Feb 02)
- Re: [Full-Disclosure] (Psexec on *NIX) Tyop? (Feb 02)
- Re: [Full-Disclosure] (Psexec on *NIX) Knud Erik Højgaard (Feb 03)
- Re: [Full-Disclosure] (Psexec on *NIX) Knud Erik Højgaard (Feb 01)
- Re: [Full-Disclosure] (Psexec on *NIX) Stan Bubrouski (Feb 02)
- Re: [Full-Disclosure] (Psexec on *NIX) Q-Ball (Feb 04)
- Re: [Full-Disclosure] (Psexec on *NIX) Marcello Barnaba (Feb 05)
- Re: [Full-Disclosure] (Psexec on *NIX) Siim Põder (Feb 07)