On Mon, 14 Oct 2002, Johan De Meersman wrote: > Chris Berry wrote: > > >>From: Johan De Meersman <[EMAIL PROTECTED]> > >>I don't think it's ever a good idea to allow root ssh to any machine > > > > > >Why not? Also, how are you going to remote administer it without some > >sort of control SSH, VNC, etc? > > Because the first shell exploit or key theft will give root access > instead of low-user access. Remote control is achieved by ssh-ing as > low-user, and then su-ing to root, thereby doubling the work involved in > rooting the box.
As I recall, my favorite security site www.securityportal.com (rip - someone else has the domain name now) explained in easy terms that doubling the work is *not* the purpose of Chris's standard precaution. (A little thought shows the work is not doubled, although the time for the break-in to take place may be a little longer.) My understanding: The main benefit is that each log in can be traced to a unique person (for some regulated industries this is a legal requirement) to whom you have given a unique password. If several admins share a remote root password you may never figure out whether one of you legitimately logged in remotely, or it was an attacker. Also what do you do if one of you writes down the password and leaves it in his home office? Reissue root password to everyone? And when the worst happens there is a chance of more useful forensic evidence left behind. > You still need decent passphrases on both your keys and > your root account, of course. Absolutely. The strongest defence is still the authentication of the remote log in, imo. > You can also allow root ssh from localhost > only, adding a tiny bit more security still by not su-ing but ssh-ing to > root. Never thought of this -- good stuff. Will using ssh-agent instead of typing ssh passphrase into the remote server hinder attackers ?? -- David
