On Mon, 2002-02-25 at 02:20, Alexander Skwar wrote: > Hallo. > > When I installed my new machine I've chosen the "high" security level. > I suppose that's the reason that in /etc/ssh/sshd.config root logins are > disabled, correct? > > If so, why are root ssh logins disabled? I further suppose that is, > because root ssh logins are "bad". Correct? Well, but why are they > "bad"? In how far is it more secure to first ssh to a normal user > account and then do a su to become root? >
root login via a remote service (even secure shell) is _very_ high risk. Why is it a high risk? There are a number of scenarios which are possible, I will only name a few. One would be someone sniffing traffic on your network with a tool such as dsniff (http://www.monkey.org/~dugsong/dsniff/), which could be used for a MITM attack or simply sniff out your root password. It's very possible in the future that a Common Vulnerablity will be found in sshd (present versions and future), for example a brute force exploit against sshd, or perhaps a buffer overflow of some sort that allows you to bypass password auth, and simply login. Another way which is always overlooked is social engineering. It's quite easy to get passwords from a tech. monkey. And so on and so on... Further more, not only good security practice, but sys admin practice, is to use the root account as less as possible. Not only do you open yourself up to "possible" attacks, but you also give chance for a nasty mistake (e.g, cd /. && rm -rf *). On top of that, you're showing that your system is not tight, and you are naive to the potentials waiting (can't count how many people i've seen irc as root and get rooted by some jerk). I notice some of the earlier messages, the advice was to give no password. This is very bad practice. root should have a password, a good one too : ) People assume that because pam is in place, a password is required to login, thus not giving root a password is the ultimate security. Well, let's just say you boot to run level one, or boot the kernel with init=/bin/sh (or bash or csh). This circumvents that idea (though this moves on to local/physical security). Also, bugs have been found in pam in the past, as well as in the future. Your normal users should have good strong passwords as well, particularly ones with root access. 'su' IMHO is obsolete. Use sudo instead, it's a much more secure way of maintaining the system when need be with root access. Why is it more secure? In one perspective you can wipe out most of the possibility of having your root and/or other passwords sniffed out by using the optional NOPASSWD (man sudoers), this can then be restricted to only certain commands, coming from certain addresses, etc... There's much much more that sudo can do for you, but that's what the man page is for : ) There are many many many other arguments, opinions, and so forth that could be put in motion here, but I think the above should suffice : ) -- Bryan Paxton Public PGP key: http://www.deadhorse.net/bpaxton.gpg "Heedfulness: the path to the Deathless. Heedlessness: the path to death. The heedful do not die. The heedless are as if already dead." -- Dhp. 21-24
