Date: Fri, 02 Nov 2001 15:31:30 -0500 From: Joseph <jolt@nicholasofmyra.org> To: Anthony Atkielski <anthony@atkielski.com> Cc: FreeBSD Questions <freebsd-questions@FreeBSD.ORG> Subject: Re: Lockdown of FreeBSD machine directly on Net Message-ID: <3BE302A2.2080002@nicholasofmyra.org> References: <KPEMLBLEMPMHGLJOCDEGOECECMAA.scott@gerhardt-it.com> <01ae01c163cd$7cb00340$0a00000a@atkielski.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I believe, given this scenario, it would only be bad practice. The risks of someone getting your password should be minimal. However, the unix philosophy in general is that you only become root if you have a specific task that needs to be performed as root. Unlike the widows world where the administrator is kept from being able to "shoot himself in the foot." The root user can pretty much do anything. If you tell the system to "rm -rf /", it will happily comply. Anthony Atkielski wrote: >So is it really an issue provided that I never log in to root from anywhere >except on my own LAN (which has only two machines, both of which are under my >exclusive control)? > >If I leave SSH login of root allowed, but with password authentication >disallowed, it seems to me that anyone trying to hack into the system from the >outside by a login to root would have quite a task before him, since he could >not guess passwords, and even if he knew the root password, it wouldn't help >him. He'd have to have the private SSH key for root to get in, and short of >somehow stealing it off one of my machines (which would imply that I had far >bigger security problems than just logins to root), I don't know how he'd get >that. There's no copy of it on the server, even. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3BE302A2.2080002>