Date: Fri, 4 Feb 2005 03:33:41 +0100 From: FreeBSD questions mailing list <FreeBSD@amadeus.demon.nl> To: Gert Cuykens <gert.cuykens@gmail.com> Cc: freebsd <freebsd-questions@freebsd.org> Subject: Re: ssh default security risc Message-ID: <74319c330bfa974501ea463b9ef4635c@amadeus.demon.nl> In-Reply-To: <ef60af09050203175930a30af9@mail.gmail.com> References: <ef60af09050203143220daf9f9@mail.gmail.com> <4202B512.9080306@cis.strath.ac.uk> <ef60af09050203153670e8f27f@mail.gmail.com> <4202BC4E.4090809@cis.strath.ac.uk> <ef60af090502031604391fcbd6@mail.gmail.com> <bf55966e0db107001d1dd92afb1e62e2@amadeus.demon.nl> <ef60af09050203175930a30af9@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 04 feb 2005, at 02:59, Gert Cuykens wrote: > On Thu, 3 Feb 2005 16:54:01 -0800, FreeBSD questions mailing list > <FreeBSD@amadeus.demon.nl> wrote: >> You really need to look at it from a different point of view... >> If you want to prevent people from breaking into your car you lock the >> doors. >> Don't say "If they break the locks and get in, I can't use my key >> anymore. So keep the doors unlocked", do you? >> My point of view... >> Arno >> > > I like this point of view game :) > > How many locks are there in your car, lets say ever user has a lock > the trunk the left and the right door. Now imagine your little kit > waving to you behind the windows. You want to kick his butt because he > broke your brand new television set. You cant go in your car because > he pushes on the lock button so you can't turn the key. To make things > wurse your kid is trying to play with the root engine but he can't get > the engine to start. Enabeling the ssh root is like having the remote > car key that opens every door at once so you can get in to kick his > butt :) > No it is not! It is like giving the key to the burglar who's after your car stereo. If he'd only know you (have your account) then he would only be able to trace your car, look at it, look what's inside but not change anything. He would still need to go after the keys... Really it is the opposite of what you're thinking. If root login is disabled and an intruder hacks a user account he can only change things as much as you allow the account to make changes to the system. The intruder still needs to go for the root password after this, if he's after total control of your comp. When the intruder changes your password but doesn't get root access you can't get in but your system is far less damaged. If root login is enabled then the intruder has half the work to get full access to the system. And you can't access the comp at all after that has happened. A
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?74319c330bfa974501ea463b9ef4635c>