Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 22 Jan 2001 19:01:55 +0100 (CET)
From:      "Patrick M. Hausen" <hausen@punkt.de>
To:        otis@wilbury.sk (Juraj Lutter)
Cc:        tsikora@powerusersbbs.com (Ted Sikora), freebsd-stable@FreeBSD.ORG
Subject:   Re: ssh login
Message-ID:  <200101221801.TAA51972@hugo10.ka.punkt.de>
In-Reply-To: <20010122184442.C48980@wilbury.sk> from Juraj Lutter at "Jan 22, 2001 06:44:42 pm"

next in thread | previous in thread | raw e-mail | index | archive | help
Hi all!

Juraj Lutter wrote:

> On Mon, Jan 22, 2001 at 12:38:15PM -0500, Ted Sikora wrote:
> > 
> > That was it. How can root be dangerous in ssh.. isn't that why it
> > exists? Or would using su be better? I usually use ssh to remotely
> > administer the servers.
> 
> Yes, using ``su'' or ``sudo'' is more elegant solution than remote
> root login. If I think about hcked boxes and patched ssh clients, it
> makes me scarry to login as root remote :-)

Well, using su would not save you from a patched client recording
your keystrokes.

But, to provide a different answer to the original question:

ssh with root login enabled opens the system to remote dictionary
attacks, i.e. guessing the root password. Of course, you'd never choose a root
password that could easily be guessed, now, would you? ;-))

If you have to login with your regular account first, the attacker
has to guess a valid login name first, then mount another
attack to get root privileges. The only account that will be on
_every_ (well, almost every) Unix system is "root", so there's no
need to guess that one.

It's common NT admin practice to rename the "Administrator"
account. And this _does_ improve security against remote attacks,
so it's not as moronic as it sounded to me when I first heard
about it.
Unfortunately MS made it rather easy to find out the name of
that particular account, once you successfully authenticated to
the NT domain in question, so beware of all "insiders" ;-)

Just one more level of indirection for the script kiddies to cope with.

Patrick
-- 
--- WEB ISS GmbH - Scheffelstr. 17a - 76135 Karlsruhe - 0721/9109-0 ---
------ Patrick M. Hausen - Technical Director - hausen@punkt.de -------
"Contrary to popular belief, penguins are not the salvation of modern
 technology.  Neither do they throw parties for the urban proletariat."


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200101221801.TAA51972>