Date: Fri, 4 Feb 2005 23:06:38 -0800 From: "Loren M. Lang" <lorenl@alzatex.com> To: Gert Cuykens <gert.cuykens@gmail.com> Cc: Chris Hodgins <chodgins@cis.strath.ac.uk> Subject: Re: ssh default security risc Message-ID: <20050205070638.GK8619@alzatex.com> In-Reply-To: <ef60af090502031604391fcbd6@mail.gmail.com> References: <ef60af09050203143220daf9f9@mail.gmail.com> <4202B512.9080306@cis.strath.ac.uk> <ef60af09050203153670e8f27f@mail.gmail.com> <4202BC4E.4090809@cis.strath.ac.uk> <ef60af090502031604391fcbd6@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Feb 04, 2005 at 01:04:34AM +0100, Gert Cuykens wrote: > On Fri, 04 Feb 2005 00:05:34 +0000, Chris Hodgins > <chodgins@cis.strath.ac.uk> wrote: > > Gert Cuykens wrote: > > > On Thu, 03 Feb 2005 23:34:42 +0000, Chris Hodgins > > > <chodgins@cis.strath.ac.uk> wrote: > > > > > >>Gert Cuykens wrote: > > >> > > >>>By default the root ssh is disabled. If a dedicated server x somewhere > > >>>far far away doesn't have root ssh enabled the admin is pretty much > > >>>screwed if they hack his user account and change the user password > > >>>right ? > > >>> > > >>>So is it not better to enable it by default ? > > >>>_______________________________________________ > > >>>freebsd-questions@freebsd.org mailing list > > >>>http://lists.freebsd.org/mailman/listinfo/freebsd-questions > > >>>To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > > >>> > > >> > > >>Every unix box has a root account. Not every unix box has a jblogs > > >>account. Lets take the example of a brute-force attempt. The first > > >>thing I would do would be to attack roots password. I know the account > > >>exists. Might as well go for the big prize first. > > >> > > >>So having a root account enabled is definetly a bad thing. > > >> > > >>Chris > > >> > > > > > > > > > Do you agree a user acount is most of the time more vonerable then the > > > root account ? > > > > Assuming you know the username then maybe. It depends on the strength > > of the users password. If they are only using private keys with > > passphrases then you probably won't be getting access that way with any > > account. > > > > > > > > If they can hack the root they can defenatly hack a user account too. > > > So i dont see any meaning of disabeling it. > > > > If they can hack root they own the system and can do what they like. By > > disabling root you remove the option of this happening. Instead they > > have to try and compromise a user account. Once they compromise the > > user account, they then have to gain root access (assuming that is their > > goal). Why bother with the hassle. There are plenty of machines out > > there already with weak root passwords. If a hacker really wants into > > your system he will find a way. > > > > Chris > > True but the point is without the ssh root enabled there is nothing > you can do about it to stop them if they change your user password Uh, if they login as root, then change the root password and disable all other user account (VERY easy to do as root), then your even worse off. There is NO backup plan for this short of pulling the power cord assuming your even around it. But ignoring this possiblity then... Well, if you can't manage to use a strong enough password, or disable password logins and just use something more secure like public key auth or skey which, for all purposes and intents, won't be broken, then maybe your best bet is to set up two different backup usernames that only you know about so in the event someone cracks your account you can still login and stop them. A normal user can't change another users password unless you do something to reduce your systems security like enable sudo for your user which can run any and all command as root. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" -- I sense much NT in you. NT leads to Bluescreen. Bluescreen leads to downtime. Downtime leads to suffering. NT is the path to the darkside. Powerful Unix is. Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc Fingerprint: B3B9 D669 69C9 09EC 1BCD 835A FAF3 7A46 E4A3 280C
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050205070638.GK8619>