Date: Fri, 4 Feb 2005 10:09:00 +0200 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: Ted Mittelstaedt <tedm@toybox.placo.com> Cc: freebsd-questions@freebsd.org Subject: Re: ssh default security risc Message-ID: <20050204080900.GA792@orion.daedalusnetworks.priv> In-Reply-To: <LOBBIFDAGNMAMLGJJCKNKEDLFAAA.tedm@toybox.placo.com> References: <20050204060106.GB51807@gothmog.gr> <LOBBIFDAGNMAMLGJJCKNKEDLFAAA.tedm@toybox.placo.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2005-02-03 22:54, Ted Mittelstaedt <tedm@toybox.placo.com> wrote: >Giorgos Keramidas wrote: >>On 2005-02-04 01:04, Gert Cuykens <gert.cuykens@gmail.com> wrote: >>> On Fri, 04 Feb 2005 00:05:34 +0000, Chris Hodgins >>> <chodgins@cis.strath.ac.uk> wrote: >>> True but the point is without the ssh root enabled there is >>> nothing you can do about it to stop them if they change your user >>> password >> >> [...] >> You may also want to consider than having SSH enabled for root >> means there is only ONE step at becoming root from any remote >> location. >> >> Having to SSH as a user first, with the right combination of SSH >> keys and passwords, and then use su(1) with yet another password is >> at least one more step. >> >> Why is the first, 1-step procedure safer than the second? > > I think I'm going to interject a few things here to this discussion, > which has turned into a rediculous religious argument. > > In answer to your question about a 1-step procedure safer than the > second, well as a matter of fact there are circumstances when it is. > For example: > > [snip great advice about securing ssh access] I was (perhaps not so) obviously referring to "all other things being equal, allowing ssh access to a plain user is safer than allowing direct ssh access to root. All great points, though. Thanks Ted. - Giorgos
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050204080900.GA792>