>From: Johan De Meersman <[EMAIL PROTECTED]> >>>I don't think it's ever a good idea to allow root ssh to any machine >>Why not? Also, how are you going to remote administer it without some >>sort of control SSH, VNC, etc? >Because the first shell exploit or key theft will give root access instead >of low-user access. Remote control is achieved by ssh-ing as low-user, and >then su-ing to root, thereby doubling the work involved in rooting the box. >You still need decent passphrases on both your keys and your root account, >of course. You can also allow root ssh from localhost only, adding a tiny >bit more security still by not su-ing but ssh-ing to root.
Doesn't this actually lower your securtiy by requiring you to transmit you password when you do the SU command, rather than authenticating locally? Chris Berry [EMAIL PROTECTED] Systems Administrator JM Associates "I have found the way, and the way is Perl." _________________________________________________________________ Surf the Web without missing calls!�Get MSN Broadband. http://resourcecenter.msn.com/access/plans/freeactivation.asp
