From owner-freebsd-stable Mon Jan 22 10: 2:28 2001 Delivered-To: freebsd-stable@freebsd.org Received: from hugo10.ka.punkt.de (unknown [194.77.232.254]) by hub.freebsd.org (Postfix) with ESMTP id 3DC1C37B401 for ; Mon, 22 Jan 2001 10:02:06 -0800 (PST) Received: (from ry93@localhost) by hugo10.ka.punkt.de (8.9.3/8.9.3) id TAA51972; Mon, 22 Jan 2001 19:01:55 +0100 (CET) (envelope-from ry93) From: "Patrick M. Hausen" Message-Id: <200101221801.TAA51972@hugo10.ka.punkt.de> Subject: Re: ssh login In-Reply-To: <20010122184442.C48980@wilbury.sk> from Juraj Lutter at "Jan 22, 2001 06:44:42 pm" To: otis@wilbury.sk (Juraj Lutter) Date: Mon, 22 Jan 2001 19:01:55 +0100 (CET) Cc: tsikora@powerusersbbs.com (Ted Sikora), freebsd-stable@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Hi all! Juraj Lutter wrote: > On Mon, Jan 22, 2001 at 12:38:15PM -0500, Ted Sikora wrote: > > > > That was it. How can root be dangerous in ssh.. isn't that why it > > exists? Or would using su be better? I usually use ssh to remotely > > administer the servers. > > Yes, using ``su'' or ``sudo'' is more elegant solution than remote > root login. If I think about hcked boxes and patched ssh clients, it > makes me scarry to login as root remote :-) Well, using su would not save you from a patched client recording your keystrokes. But, to provide a different answer to the original question: ssh with root login enabled opens the system to remote dictionary attacks, i.e. guessing the root password. Of course, you'd never choose a root password that could easily be guessed, now, would you? ;-)) If you have to login with your regular account first, the attacker has to guess a valid login name first, then mount another attack to get root privileges. The only account that will be on _every_ (well, almost every) Unix system is "root", so there's no need to guess that one. It's common NT admin practice to rename the "Administrator" account. And this _does_ improve security against remote attacks, so it's not as moronic as it sounded to me when I first heard about it. Unfortunately MS made it rather easy to find out the name of that particular account, once you successfully authenticated to the NT domain in question, so beware of all "insiders" ;-) Just one more level of indirection for the script kiddies to cope with. Patrick -- --- WEB ISS GmbH - Scheffelstr. 17a - 76135 Karlsruhe - 0721/9109-0 --- ------ Patrick M. Hausen - Technical Director - hausen@punkt.de ------- "Contrary to popular belief, penguins are not the salvation of modern technology. Neither do they throw parties for the urban proletariat." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message