From owner-freebsd-questions Thu Nov 8 9:36:18 2001 Delivered-To: freebsd-questions@freebsd.org Received: from mtiwmhc26.worldnet.att.net (mtiwmhc26.worldnet.att.net [204.127.131.51]) by hub.freebsd.org (Postfix) with ESMTP id B36D437B41F for ; Thu, 8 Nov 2001 09:36:14 -0800 (PST) Received: from columbia ([12.93.210.253]) by mtiwmhc26.worldnet.att.net (InterMail vM.4.01.03.27 201-229-121-127-20010626) with SMTP id <20011108173613.WXFF4964.mtiwmhc26.worldnet.att.net@columbia>; Thu, 8 Nov 2001 17:36:13 +0000 From: "Andrew C. Hornback" To: "Kutulu" , "Anthony Atkielski" Cc: "Giorgos Keramidas" , Subject: RE: Re[2]: Tiny starter configuration for FreeBSD Date: Thu, 8 Nov 2001 12:29:44 -0500 Message-ID: <013501c1687a$f47e47e0$6600000a@columbia> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 In-Reply-To: <20011108101807.A10218@pr0n.kutulu.org> Importance: Normal Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > -----Original Message----- > From: owner-freebsd-questions@FreeBSD.ORG > [mailto:owner-freebsd-questions@FreeBSD.ORG]On Behalf Of Kutulu > Sent: Thursday, November 08, 2001 10:18 AM > To: Anthony Atkielski > Cc: Giorgos Keramidas; freebsd-questions@FreeBSD.ORG > Subject: Re: Re[2]: Tiny starter configuration for FreeBSD > > On Thu, Nov 08, 2001 at 09:01:54AM +0100, Anthony Atkielski wrote: > > Currently I have telnetd turned off, and only sshd is running. > I also have all > > incoming telnet and ssh traffic blocked at the router, and I > only log in from my > > tiny LAN. So I should be safe logging in directly as root, > although I might > > reconsider if I ever need to log into the system from a remote location. > > If you only allow your root logins via a DSA public key (in sshd_config, > set PermitRootLogins = without-password), there's a very good > argument that > you will be just as secure logging is as root, as you would be > logging in as > a user and using 'su'. That is, if a malicious person is able to > crack your DSA > keys and pretend to be you, he/she can probably also locate the > root password > in the encrypted stream immediately following 'su', and decrypt it. But... as it's been pointed out, logging in directly as root doesn't allow for the audit trail in the logs that logging in as a user and then using 'su' does. Logging in as root from anywhere but the console is bad practice, IMHO. --- Andy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message