Vineet Kumar wrote: > > * Michael D. Schleif ([EMAIL PROTECTED]) [020521 12:10]: > > Here's my lack of understanding: > > > > [a] ssh [EMAIL PROTECTED] requires cracking only one (1) string: > > [1] root's password > > > > [b] ssh [EMAIL PROTECTED] requires cracking three (3) separate > > strings: > > [1] mortal_user's username (without this, there is not even system > > access); > > [2] mortal_user's password; and > > [3] root's password > > > > Since _god_ on a given system is almost always root or administrator, I > > fail to see how [a] can be considered at least as secure as [b]. > > > > What am I missing? > > The point is that once you have [b1] and [b2], [b3] is as easy to get > by dropping in a new '~/bin/su' which will read a password, pretend to > the user that there was a typo, read it again, email you the password, > delete itself, and then perform the real /bin/su.
I agree with this; but, the assumptions . . . > The idea is that a user account which often su's is as good as a root > account. One that often sudo's is even easier (if you actually have the > password and not just a backdoor of some sort). This is where I begin to have problems with your argument . . . > So this boils down to [b] is better because of [b1], which I think we'll > all agree isn't *that* difficult to get, if you know anyone who has an > account on the machine, or even just patience and a watchful eye. > Generally usernames aren't kept super-super secret. This thread split off of an earlier thread; but, my context begins with this new thread. Therefore, we are talking about remote users and ssh access to remote systems. Let's begin with your assumption: ``... if you know anyone who has an account on the machine ...'' You are correct that this is a problem -- one problem among many, many problems. This ``socialization'' exploit is always an issue with networked computing environments. Nevertheless, the typical social circle is very small relative to the total global population. In other words, the number of people who cannot know ``anyone who has an account on the machine'' is at least six (6) orders of magnitude greater than else. Whether or not this falls under security by obscurity is irrelevant -- how can you argue that this security measure has *NO* value? Having followed this thread since it spun off, I do not recall anybody saying that such a countermeasure is adequate, in and of itself. However, it helps me deflect bushels full of script kiddies off of my systems . . . What am I missing? -- Best Regards, mds mds resource 888.250.3987 Dare to fix things before they break . . . Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
