From owner-freebsd-questions  Fri Nov  2 19: 2:52 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from guru.mired.org (okc-65-31-203-60.mmcable.com [65.31.203.60])
	by hub.freebsd.org (Postfix) with SMTP id 3A61237B40A
	for <questions@freebsd.org>; Fri,  2 Nov 2001 19:02:50 -0800 (PST)
Received: (qmail 72246 invoked by uid 100); 3 Nov 2001 03:02:44 -0000
From: Mike Meyer <mwm@mired.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15331.24148.395880.525157@guru.mired.org>
Date: Fri, 2 Nov 2001 21:02:44 -0600
To: swear@blarg.net (Gary W. Swearingen)
Cc: questions@freebsd.org
Subject: Re: Lockdown of FreeBSD machine directly on Net
In-Reply-To: <12496263@toto.iv>
X-Mailer: VM 6.90 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid
X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG%
 *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Gary W. Swearingen <swear@blarg.net> types:
> Ben Eisenbraun <bene@klatsch.org> writes:
> 
> > change that to yes, HUP sshd,  and it will allow root to login directly 
> > via ssh.
> > 
> > NOT RECOMMENDED.
> 
> I'd like to why.  I'd think that if you can't trust ssh you might
> as well give up.  I'd think the tiny reduction in risk (if any) would
> not be worth even the few extra seconds it takes to do the "su" and
> password entry.
> 
> IF we assume ssh is secure, isn't it as safe to login as root via ssh as
> at the system console?
> 
> Or do people recommend that that not be allowed either?


Yup.

Someone logging in as root - no matter where - is completely
anonymous. Su leaves an audit trail. If you're the only one who has
the root password and in group wheel, then it doesn't matter much. If
there's a group of such people, then the audit trail is important.

	<mike
--
Mike Meyer <mwm@mired.org>			http://www.mired.org/home/mwm/
Q: How do you make the gods laugh?		A: Tell them your plans.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message