Date: Mon, 22 Jan 2001 19:01:55 +0100 (CET) From: "Patrick M. Hausen" <hausen@punkt.de> To: otis@wilbury.sk (Juraj Lutter) Cc: tsikora@powerusersbbs.com (Ted Sikora), freebsd-stable@FreeBSD.ORG Subject: Re: ssh login Message-ID: <200101221801.TAA51972@hugo10.ka.punkt.de> In-Reply-To: <20010122184442.C48980@wilbury.sk> from Juraj Lutter at "Jan 22, 2001 06:44:42 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Hi all! Juraj Lutter wrote: > On Mon, Jan 22, 2001 at 12:38:15PM -0500, Ted Sikora wrote: > > > > That was it. How can root be dangerous in ssh.. isn't that why it > > exists? Or would using su be better? I usually use ssh to remotely > > administer the servers. > > Yes, using ``su'' or ``sudo'' is more elegant solution than remote > root login. If I think about hcked boxes and patched ssh clients, it > makes me scarry to login as root remote :-) Well, using su would not save you from a patched client recording your keystrokes. But, to provide a different answer to the original question: ssh with root login enabled opens the system to remote dictionary attacks, i.e. guessing the root password. Of course, you'd never choose a root password that could easily be guessed, now, would you? ;-)) If you have to login with your regular account first, the attacker has to guess a valid login name first, then mount another attack to get root privileges. The only account that will be on _every_ (well, almost every) Unix system is "root", so there's no need to guess that one. It's common NT admin practice to rename the "Administrator" account. And this _does_ improve security against remote attacks, so it's not as moronic as it sounded to me when I first heard about it. Unfortunately MS made it rather easy to find out the name of that particular account, once you successfully authenticated to the NT domain in question, so beware of all "insiders" ;-) Just one more level of indirection for the script kiddies to cope with. Patrick -- --- WEB ISS GmbH - Scheffelstr. 17a - 76135 Karlsruhe - 0721/9109-0 --- ------ Patrick M. Hausen - Technical Director - hausen@punkt.de ------- "Contrary to popular belief, penguins are not the salvation of modern technology. Neither do they throw parties for the urban proletariat." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200101221801.TAA51972>