From owner-freebsd-questions  Fri Nov  2 12:32: 2 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from mail.all.org (bdsl.66.12.117.154.gte.net [66.12.117.154])
	by hub.freebsd.org (Postfix) with ESMTP id 2891237B407
	for <freebsd-questions@FreeBSD.ORG>; Fri,  2 Nov 2001 12:32:00 -0800 (PST)
Message-ID: <3BE302A2.2080002@nicholasofmyra.org>
Date: Fri, 02 Nov 2001 15:31:30 -0500
From: Joseph <jolt@nicholasofmyra.org>
MIME-Version: 1.0
To: Anthony Atkielski <anthony@atkielski.com>
Cc: FreeBSD Questions <freebsd-questions@FreeBSD.ORG>
Subject: Re: Lockdown of FreeBSD machine directly on Net
References: <KPEMLBLEMPMHGLJOCDEGOECECMAA.scott@gerhardt-it.com> <01ae01c163cd$7cb00340$0a00000a@atkielski.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

I believe, given this scenario, it would only be bad practice.  The 
risks of someone getting your password should be minimal.  However, the 
unix philosophy in general is that you only become root if you have a 
specific task that needs to be performed as root.  Unlike the widows 
world where the administrator is kept from being able to "shoot himself 
in the foot."  The root user can pretty much do anything.  If you tell 
the system to "rm -rf /", it will happily comply.

Anthony Atkielski wrote:

>So is it really an issue provided that I never log in to root from anywhere
>except on my own LAN (which has only two machines, both of which are under my
>exclusive control)?
>
>If I leave SSH login of root allowed, but with password authentication
>disallowed, it seems to me that anyone trying to hack into the system from the
>outside by a login to root would have quite a task before him, since he could
>not guess passwords, and even if he knew the root password, it wouldn't help
>him.  He'd have to have the private SSH key for root to get in, and short of
>somehow stealing it off one of my machines (which would imply that I had far
>bigger security problems than just logins to root), I don't know how he'd get
>that.  There's no copy of it on the server, even.
>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message