Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 8 Nov 2001 12:29:44 -0500
From:      "Andrew C. Hornback" <achornback@worldnet.att.net>
To:        "Kutulu" <kutulu@kutulu.org>, "Anthony Atkielski" <anthony@atkielski.com>
Cc:        "Giorgos Keramidas" <charon@labs.gr>, <freebsd-questions@FreeBSD.ORG>
Subject:   RE: Re[2]: Tiny starter configuration for FreeBSD
Message-ID:  <013501c1687a$f47e47e0$6600000a@columbia>
In-Reply-To: <20011108101807.A10218@pr0n.kutulu.org>

next in thread | previous in thread | raw e-mail | index | archive | help
> -----Original Message-----
> From: owner-freebsd-questions@FreeBSD.ORG
> [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Kutulu
> Sent: Thursday, November 08, 2001 10:18 AM
> To: Anthony Atkielski
> Cc: Giorgos Keramidas; freebsd-questions@FreeBSD.ORG
> Subject: Re: Re[2]: Tiny starter configuration for FreeBSD
>
> On Thu, Nov 08, 2001 at 09:01:54AM +0100, Anthony Atkielski wrote:
> > Currently I have telnetd turned off, and only sshd is running.
> I also have all
> > incoming telnet and ssh traffic blocked at the router, and I
> only log in from my
> > tiny LAN.  So I should be safe logging in directly as root,
> although I might
> > reconsider if I ever need to log into the system from a remote location.
>
> If you only allow your root logins via a DSA public key (in sshd_config,
> set PermitRootLogins = without-password), there's a very good
> argument that
> you will be just as secure logging is as root, as you would be
> logging in as
> a user and using 'su'.  That is, if a malicious person is able to
> crack your DSA
> keys and pretend to be you, he/she can probably also locate the
> root password
> in the encrypted stream immediately following 'su', and decrypt it.

	But... as it's been pointed out, logging in directly as root doesn't allow
for the audit trail in the logs that logging in as a user and then using
'su' does.

	Logging in as root from anywhere but the console is bad practice, IMHO.

--- Andy


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?013501c1687a$f47e47e0$6600000a>