On 2/2/07, Raj Mathur <[EMAIL PROTECTED]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > On Friday 02 February 2007 12:08, [EMAIL PROTECTED] wrote: > > On Fri, 02 Feb 2007 13:25:11 +0800, Eduardo Tongson said: > > > On 2/2/07, Xavier Beaudouin <[EMAIL PROTECTED]> wrote: > > > <> > > > > Allowing direct root login even with SSH is IMHO stupid... > > > Please elaborate why is it IYHO stupid. > > In environments where more than 1 person has root access, allowing > > direct login to root means you can't keep an audit trail of which > > person logged in. > > > > And if your environment only one person has root access, that's > > just looking for a DoS if the one person is hit by a bus..... > > I believe we have had this discussion before, but I'll iterate my > beliefs in favour of allowing direct root access again: > > - - Password management is a bitch. I don't remember passwords for > about half the accounts I have. Using a key-based root login, I > don't need to remember those passwords either. If you take the sudo > route, every user has to remember each password for each account, > unless you take the deprecated route of reusing passwords (or > *horrors* allow sudo without password).
key-based login without passphrase is like eating cheese without bred. useless (IMHO). > - - With a little bit of configuration, it's easy to figure out which > key was used to login to an account; the audit trail can be managed > that way. > - - Managing which users have access to which root accounts is trivial > this way: just add or delete their keys from .ssh/authorized_keys[2]. Totally agree. -- Tyop? http://altmylife.blogspot.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
