On Sun Sep 16, 2001 at 07:07:07PM -0400, Yura Gusev wrote:
> > Uhm, and why is it more secure for someone to telnet into a machine and
> > then su to root?
>
> 1 Telnet is insecure use ssh. DONT USE TELNET. (For windows there is nice
> ssh prog called pytty)
> 2 It is possible to use brute force attach to find root password.
> 3 It is more auditable. So you can see who used su.
> 4 Hmm bug in SSH. Ex http://www.ssh.com/products/ssh/exploit.cfm
SSH, not OpenSSH... OpenSSH as packaged (via updates) for Mandrake is
secure.
> 5 User can save root's password on SSH client.
Then this is user stupidity. Who is going to save root password on a
client machine?
> http://archives.neohapsis.com/archives/sf/sun/2000-q3/0043.html
> 6 Why do you think inetd restricts root from remote ftp, telnet, and other
> inetd-started services?
Because it's plaintext? Silly question.
Preventing root logins via ssh is silly. Any cracker worthy of the
title could brute force your primary user's account and then start to
play. If you use an easy-to-guess root password, you shouldn't have
access to root.
Arbitrarily deciding that users should not allow root logins via ssh
is not necessary. A setting in msec could do this, or if you really
don't want to permit root login via ssh, turn it off yourself. While
I agree it may be more secure, it's not *that* much more secure to
start changing things now.
--
[EMAIL PROTECTED], OpenPGP key available on www.keyserver.net
1024D/FE6F2AFD 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD
- Danen Consulting Services www.danen.net, www.freezer-burn.org
- MandrakeSoft, Inc. Security www.linux-mandrake.com
Current Linux kernel 2.4.8-24mdk uptime: 11 hours 4 minutes.
PGP signature
