Date: Fri, 4 Feb 2005 01:04:34 +0100 From: Gert Cuykens <gert.cuykens@gmail.com> To: Chris Hodgins <chodgins@cis.strath.ac.uk> Cc: freebsd-questions@freebsd.org Subject: Re: ssh default security risc Message-ID: <ef60af090502031604391fcbd6@mail.gmail.com> In-Reply-To: <4202BC4E.4090809@cis.strath.ac.uk> References: <ef60af09050203143220daf9f9@mail.gmail.com> <4202B512.9080306@cis.strath.ac.uk> <ef60af09050203153670e8f27f@mail.gmail.com> <4202BC4E.4090809@cis.strath.ac.uk>
index | next in thread | previous in thread | raw e-mail
On Fri, 04 Feb 2005 00:05:34 +0000, Chris Hodgins <chodgins@cis.strath.ac.uk> wrote: > Gert Cuykens wrote: > > On Thu, 03 Feb 2005 23:34:42 +0000, Chris Hodgins > > <chodgins@cis.strath.ac.uk> wrote: > > > >>Gert Cuykens wrote: > >> > >>>By default the root ssh is disabled. If a dedicated server x somewhere > >>>far far away doesn't have root ssh enabled the admin is pretty much > >>>screwed if they hack his user account and change the user password > >>>right ? > >>> > >>>So is it not better to enable it by default ? > >>>_______________________________________________ > >>>freebsd-questions@freebsd.org mailing list > >>>http://lists.freebsd.org/mailman/listinfo/freebsd-questions > >>>To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > >>> > >> > >>Every unix box has a root account. Not every unix box has a jblogs > >>account. Lets take the example of a brute-force attempt. The first > >>thing I would do would be to attack roots password. I know the account > >>exists. Might as well go for the big prize first. > >> > >>So having a root account enabled is definetly a bad thing. > >> > >>Chris > >> > > > > > > Do you agree a user acount is most of the time more vonerable then the > > root account ? > > Assuming you know the username then maybe. It depends on the strength > of the users password. If they are only using private keys with > passphrases then you probably won't be getting access that way with any > account. > > > > > If they can hack the root they can defenatly hack a user account too. > > So i dont see any meaning of disabeling it. > > If they can hack root they own the system and can do what they like. By > disabling root you remove the option of this happening. Instead they > have to try and compromise a user account. Once they compromise the > user account, they then have to gain root access (assuming that is their > goal). Why bother with the hassle. There are plenty of machines out > there already with weak root passwords. If a hacker really wants into > your system he will find a way. > > Chris True but the point is without the ssh root enabled there is nothing you can do about it to stop them if they change your user passwordhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ef60af090502031604391fcbd6>