On Monday 28 May 2007, Petr Klíma wrote: > John Andersen wrote: > > I don't think that is a universally accepted setup. The only risk to > > root ssh logins is based on ancient flaws and timing attacks in > > long obsolete versions of ssh. > > It has other reason - noone can do successfull dictionary attack on root > account when it's not allowed to login as root.
With a properly configured firewall, dictionary attacks are pretty much a non-issue. My firewalls rate limit ssh connection attempts which pretty much stops dictionary attacks in their tracks. Further, even rudimentary mixing of numbers and letters and upper/lower case will foil dictionary attacks. Even if you were silly enough to use your first name as a password, even one upper case letter in an odd place (peTr) would foil all such attacks I have ever seen. You can also use the authorized keys method, (disabling plain text) requiring everyone to have a bit 1024 or 2048 sized key file on every machine they want to log in from. Thats big enough that it forces people to keep the key file lying around on their hard disk, which is less than ideal. I still think no convincing case for limiting root ssh logins has come foreward. -- _____________________________________ John Andersen -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
