From owner-freebsd-questions@FreeBSD.ORG Fri Feb 4 02:33:44 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8A2A316A4CE for ; Fri, 4 Feb 2005 02:33:44 +0000 (GMT) Received: from post-24.mail.nl.demon.net (post-24.mail.nl.demon.net [194.159.73.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0ADB443D49 for ; Fri, 4 Feb 2005 02:33:44 +0000 (GMT) (envelope-from FreeBSD@amadeus.demon.nl) Received: from amadeus.demon.nl ([82.161.18.200]:58514 helo=[10.0.1.1]) by post-24.mail.nl.demon.net with esmtp (Exim 4.43) id 1CwtHz-000CeN-2e; Fri, 04 Feb 2005 02:33:43 +0000 In-Reply-To: References: <4202B512.9080306@cis.strath.ac.uk> <4202BC4E.4090809@cis.strath.ac.uk> Mime-Version: 1.0 (Apple Message framework v619.2) Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: <74319c330bfa974501ea463b9ef4635c@amadeus.demon.nl> Content-Transfer-Encoding: 7bit From: FreeBSD questions mailing list Date: Fri, 4 Feb 2005 03:33:41 +0100 To: Gert Cuykens X-Mailer: Apple Mail (2.619.2) cc: freebsd Subject: Re: ssh default security risc X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Feb 2005 02:33:44 -0000 On 04 feb 2005, at 02:59, Gert Cuykens wrote: > On Thu, 3 Feb 2005 16:54:01 -0800, FreeBSD questions mailing list > wrote: >> You really need to look at it from a different point of view... >> If you want to prevent people from breaking into your car you lock the >> doors. >> Don't say "If they break the locks and get in, I can't use my key >> anymore. So keep the doors unlocked", do you? >> My point of view... >> Arno >> > > I like this point of view game :) > > How many locks are there in your car, lets say ever user has a lock > the trunk the left and the right door. Now imagine your little kit > waving to you behind the windows. You want to kick his butt because he > broke your brand new television set. You cant go in your car because > he pushes on the lock button so you can't turn the key. To make things > wurse your kid is trying to play with the root engine but he can't get > the engine to start. Enabeling the ssh root is like having the remote > car key that opens every door at once so you can get in to kick his > butt :) > No it is not! It is like giving the key to the burglar who's after your car stereo. If he'd only know you (have your account) then he would only be able to trace your car, look at it, look what's inside but not change anything. He would still need to go after the keys... Really it is the opposite of what you're thinking. If root login is disabled and an intruder hacks a user account he can only change things as much as you allow the account to make changes to the system. The intruder still needs to go for the root password after this, if he's after total control of your comp. When the intruder changes your password but doesn't get root access you can't get in but your system is far less damaged. If root login is enabled then the intruder has half the work to get full access to the system. And you can't access the comp at all after that has happened. A