From owner-freebsd-questions@FreeBSD.ORG Fri Feb 4 00:01:01 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 33DEE16A4E1 for ; Fri, 4 Feb 2005 00:01:01 +0000 (GMT) Received: from smtphost.cis.strath.ac.uk (smtphost.cis.strath.ac.uk [130.159.196.96]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5FD2143D39 for ; Fri, 4 Feb 2005 00:01:00 +0000 (GMT) (envelope-from chodgins@cis.strath.ac.uk) Received: from [192.168.0.4] (chrishodgins.force9.co.uk [84.92.20.141]) j1400ofe002856; Fri, 4 Feb 2005 00:00:50 GMT Message-ID: <4202BC4E.4090809@cis.strath.ac.uk> Date: Fri, 04 Feb 2005 00:05:34 +0000 From: Chris Hodgins User-Agent: Mozilla Thunderbird 1.0 (X11/20050202) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Gert Cuykens References: <4202B512.9080306@cis.strath.ac.uk> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-CIS-MailScanner-Information: Please contact support@cis.strath.ac.uk for more information X-CIS-MailScanner: Found to be clean X-CIS-MailScanner-SpamCheck: not spam, SpamAssassin (score=0, required 6) X-CIS-MailScanner-From: chodgins@cis.strath.ac.uk cc: freebsd-questions@freebsd.org Subject: Re: ssh default security risc X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Feb 2005 00:01:01 -0000 Gert Cuykens wrote: > On Thu, 03 Feb 2005 23:34:42 +0000, Chris Hodgins > wrote: > >>Gert Cuykens wrote: >> >>>By default the root ssh is disabled. If a dedicated server x somewhere >>>far far away doesn't have root ssh enabled the admin is pretty much >>>screwed if they hack his user account and change the user password >>>right ? >>> >>>So is it not better to enable it by default ? >>>_______________________________________________ >>>freebsd-questions@freebsd.org mailing list >>>http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>>To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" >>> >> >>Every unix box has a root account. Not every unix box has a jblogs >>account. Lets take the example of a brute-force attempt. The first >>thing I would do would be to attack roots password. I know the account >>exists. Might as well go for the big prize first. >> >>So having a root account enabled is definetly a bad thing. >> >>Chris >> > > > Do you agree a user acount is most of the time more vonerable then the > root account ? Assuming you know the username then maybe. It depends on the strength of the users password. If they are only using private keys with passphrases then you probably won't be getting access that way with any account. > > If they can hack the root they can defenatly hack a user account too. > So i dont see any meaning of disabeling it. If they can hack root they own the system and can do what they like. By disabling root you remove the option of this happening. Instead they have to try and compromise a user account. Once they compromise the user account, they then have to gain root access (assuming that is their goal). Why bother with the hassle. There are plenty of machines out there already with weak root passwords. If a hacker really wants into your system he will find a way. Chris