on Sun, May 27, 2001 at 08:13:30AM -0500, ktb ([EMAIL PROTECTED]) wrote:
> On Sun, May 27, 2001 at 12:39:54PM +0200, Timo Blazko Boewing wrote:
> > Hello!
> > 
> > A silly theoretical question: in a ssh thread above, one got the answer 
> > *not* 
> > to enable root user access to a station, it would be better to use a 
> > limited 
> > user account and then gain access via su or that.
> > What is the difference between that. Don't I have full admin rights with su?
> > Or if I have, what is the difference? Is it cos a direct root login allows 
> > to 
> > exploit the sys due to some scripts that get autom. exec'd?
> > I just want to know....cos thus I know why I do things that way :-)
> 
> I think you have it.  You don't want untrusted people to login in as root.
> To limit sshd to non root accounts makes someone have to work harder to
> gain root access.  
> kent

It's also useful from an audit standpoint on shared systesm to have a
user login then a 'su' or 'sudo' to root, rather than connect directly
as root remotely.  If using sudo (and you should), this also makes
managing root access much easier -- you don't have to change a single
shared password (and notify everyone using it), you just pull sudo
priviledges for the user(s) you want to not have root access moving
forward.

I've seen mysterious (and bad) things happen on systems which had (very)
commonly known root passwords and for which root ssh logins were
allowed.  That's simply idiotic, and we had the wiped disks to prove it.
On my own boxen, root passwords were changed from defaults, and root ssh
denied.  I actually stood down my system administrator telling him he
had no need for a root password on the box -- he could administer the
box locally if need be, I didn't trust his security management
(passwords were kept in an Excel spreadsheet -- he didn't last long). 
If he wanted to request my passwords, he could go higher up for the
request (and I'd have complied).  Higher up didn't trust his judgement
either.

-- 
Karsten M. Self <kmself@ix.netcom.com>    http://kmself.home.netcom.com/
 What part of "Gestalt" don't you understand?       There is no K5 cabal
  http://gestalt-system.sourceforge.net/         http://www.kuro5hin.org
   Disclaimer:          http://www.goldmark.org/jeff/stupid-disclaimers/

Attachment: pgpbz7haQ0gXC.pgp
Description: PGP signature

Reply via email to