On Thu, Nov 23, 2006 at 12:24:38PM +0100, Igor Sobrado wrote: > First of all, I understand that remote root logins can be easily > avoided by setting "PermitRootLogin" to "no" in /etc/ssh/sshd_config.
Yes. This is a very simple thing to do. > I guess that remote root logins are allowed by default to simplify > management of small network appliances that do not have user accounts > on them. But these appliances are only a small number of all OpenBSD > installations and, even if this number is not so small, a restricted > (non-root) account in the group wheel and probably in the group operator > too, on these devices is advisable to avoid damaging these appliances > by mistake. These assumptions, I think, are the problem. I have no "small network appliances", yet I find SSH root login to be very useful in the initial stages of configuring a new computer installation. > In my humble opinion, there are three reasons to deny remote root logins > by default: > > 1. Remote root login enabled by default makes the wheel group > superfluous (i.e., why are used added to the wheel group when > a user not in this group can log in as root, once the root > password is known to him, by just typing "ssh [EMAIL PROTECTED]"?) > > 2. There are a lot of threats against the root account based in > brute force attacks. Most of us see logs on this matter in our > workstations and servers. Sometimes these threats, done by > humans, network scanners or even worms, are successful. It is > just a matter of (bad) luck. For a compromised password, there's no essential difference between root and someone with full sudo access. If you have 5 people in wheel/sudoers then an attacker can break *any* of those and get root. > 3. OpenBSD is "secure by default"; all services should be configured > to the most secure defaults. I think that this reason is as good > as the previous ones. And not allowing remote root logins by > default makes sense to me in relation with this goal. No. It would be simple enough to disable everything, but that wouldn't be functional. OpenBSD has an excellent track record for security, yet many useful things are enabled by default. Do you *really* believe that nobody has thought about turning off root ssh in the default configs? Of course they have. Yet it remains enabled. Selecting a secure password for root is YOUR responsibility. > Someone that really wants to allow remote root logins should be able to > enable this feature just changing /etc/ssh/sshd_config. But, in my > humble opinion, most users do not really want this dangerous feature > enabled by default. And, even on small network appliances, an unprivileged > account in the wheel group (and even in the operator group) is a good > management practice. Most users just don't care. More security conscious users *do* care, and often turn it off. They also block all icmp packets and a lot of other things that they read somewhere on the web, without understanding why, or assessing how much of a threat it poses to them, or how effective it is in countering the threat. *Really* security conscious people take the time to understand the issues, and to configure their systems. -- Darrin Chandler | Phoenix BSD Users Group [EMAIL PROTECTED] | http://bsd.phoenix.az.us/ http://www.stilyagin.com/ |
