On Mon, 27 Jan 2003, Federico Sevilla III wrote: > On Mon, Jan 27, 2003 at 09:02:28PM +0800, Ian C. Sison wrote: > > For ssh sessions you need to edit /etc/ssh/sshd_config > > > > and set PermitRootLogin to no > > Ian probably meant "set PermitRootLogin to yes", if you want to allow > root to login via SSH, that is. Having said that I highly recommend you > -not- do this. Instead install sudo and add the list of users you want > to be able to gain root access -when needed- to the /etc/sudoers file. >
I'd go a bit further in that if your services permit, do away with creating users on your box totally. Local users in a system are a security hole just waiting to be exploited. Ideally, no one deserves shell access except root, not even the owner of the company \8). Services such as mail, or ftp which require a form of authentication can be run off an sql or ldap database, so there is really no need for local users. FTP services should be chrooted so that they can't travel beyond their home directories. Note also that if you installed ssh and didn't fiddle with the default config, the sftp service will also be available and is a hidden security problem. THe SFTP implementation does NOT chroot the home directory so any user can log on and fiddle with files that aren't in his homedir. I also don't agree with the 'ssh as local unpriveleged user first before doing an 'su'. That simply allows anyone with access to that unpriveleged user to login and do all sorts of kinky stuff locally. So don't do it. Keep a root password that's hard to crack via brute force, and share it only with admins who know enough and are responsible enough to administer the system. All other stuff you want to delegate to unprivileged users, you can delegate via a web based program such as webmin which can do the same thing without shell access. Note that webmin has its own share of security issues so make sure you are using the latest release. Just my $0.02. Ian _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
