Chris Berry wrote: >> From: Johan De Meersman <[EMAIL PROTECTED]> >> I don't think it's ever a good idea to allow root ssh to any machine > > > Why not? Also, how are you going to remote administer it without some > sort of control SSH, VNC, etc?
Because the first shell exploit or key theft will give root access instead of low-user access. Remote control is achieved by ssh-ing as low-user, and then su-ing to root, thereby doubling the work involved in rooting the box. You still need decent passphrases on both your keys and your root account, of course. You can also allow root ssh from localhost only, adding a tiny bit more security still by not su-ing but ssh-ing to root. > > > Chris Berry > [EMAIL PROTECTED] > Systems Administrator > JM Associates > > "I have found the way, and the way is Perl." > > > _________________________________________________________________ > Send and receive Hotmail on your mobile device: http://mobile.msn.com -- Public GPG key at blackhole.pca.dfn.de .
msg08714/pgp00000.pgp
Description: PGP signature
