From owner-freebsd-questions@FreeBSD.ORG Fri Feb 4 03:10:17 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5E78416A4CE for ; Fri, 4 Feb 2005 03:10:17 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0D77743D31 for ; Fri, 4 Feb 2005 03:10:12 +0000 (GMT) (envelope-from gert.cuykens@gmail.com) Received: by rproxy.gmail.com with SMTP id f1so327993rne for ; Thu, 03 Feb 2005 19:10:11 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=ADN9BOgIvJoJq4qlWOk+TGN3Mlrd7rrmLkXbVuTJzEs2ydS7XIBVKgvpfxiEGghpEykDNpSp6Jw6+Xnabx48nz4tj1AEXjGY1E/EXX1xzv3n3jOotKCS1F9YKvZ/A1c+a5M9I6Pf5qUjRj5LtwxnB3KNAJQm18BQhCBb5Qt54mM= Received: by 10.38.153.42 with SMTP id a42mr268990rne; Thu, 03 Feb 2005 19:10:11 -0800 (PST) Received: by 10.38.74.23 with HTTP; Thu, 3 Feb 2005 19:10:11 -0800 (PST) Message-ID: Date: Fri, 4 Feb 2005 04:10:11 +0100 From: Gert Cuykens To: FreeBSD questions mailing list In-Reply-To: <74319c330bfa974501ea463b9ef4635c@amadeus.demon.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <4202B512.9080306@cis.strath.ac.uk> <4202BC4E.4090809@cis.strath.ac.uk> <74319c330bfa974501ea463b9ef4635c@amadeus.demon.nl> cc: freebsd Subject: Re: ssh default security risc X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Gert Cuykens List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Feb 2005 03:10:17 -0000 On Fri, 4 Feb 2005 03:33:41 +0100, FreeBSD questions mailing list wrote: > > On 04 feb 2005, at 02:59, Gert Cuykens wrote: > > > On Thu, 3 Feb 2005 16:54:01 -0800, FreeBSD questions mailing list > > wrote: > >> You really need to look at it from a different point of view... > >> If you want to prevent people from breaking into your car you lock the > >> doors. > >> Don't say "If they break the locks and get in, I can't use my key > >> anymore. So keep the doors unlocked", do you? > >> My point of view... > >> Arno > >> > > > > I like this point of view game :) > > > > How many locks are there in your car, lets say ever user has a lock > > the trunk the left and the right door. Now imagine your little kit > > waving to you behind the windows. You want to kick his butt because he > > broke your brand new television set. You cant go in your car because > > he pushes on the lock button so you can't turn the key. To make things > > wurse your kid is trying to play with the root engine but he can't get > > the engine to start. Enabeling the ssh root is like having the remote > > car key that opens every door at once so you can get in to kick his > > butt :) > > > No it is not! > It is like giving the key to the burglar who's after your car stereo. > If he'd only know you (have your account) then he would only be able to > trace your car, look at it, look what's inside but not change anything. > He would still need to go after the keys... > > Really it is the opposite of what you're thinking. > If root login is disabled and an intruder hacks a user account he can > only change things as much as you allow the account to make changes to > the system. > The intruder still needs to go for the root password after this, if > he's after total control of your comp. > When the intruder changes your password but doesn't get root access you > can't get in but your system is far less damaged. > > If root login is enabled then the intruder has half the work to get > full access to the system. > And you can't access the comp at all after that has happened. > > A > ok i admid that two passwords is more secure then one :)