Re: root via ssh / why su - ?
On Tue, Jun 05, 2001 at 03:44:28PM -0700, Karsten M. Self wrote: I don't know that it's possible to disable password authentication, or PasswordAuthentication no or if you want to do it on a user by user basis add: auth required pam_listfile.so item=user sense=deny \ file=/etc/ssh/ssh_rsa_only onerr=succeed to /etc/pam.d/ssh then add users who should not be allowed to authenticate via passwords to /etc/ssh/ssh_rsa_only to require passphrase authentication (unsecured RSA keys *are* a security threat). no way to prevent that, the passphrase is only known to the client, and the client program is what takes care of asking it and decrypting the private key. there is no way for the server to know much less enforce passphrase rules on RSA/DSA keys. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpLgzRFjWCpD.pgp Description: PGP signature
Re: root via ssh / why su - ?
on Mon, May 28, 2001 at 09:18:17PM +1000, Brian May ([EMAIL PROTECTED]) wrote: Alvin == Alvin Oga [EMAIL PROTECTED] writes: On my own boxen, root passwords were changed from defaults, and root ssh denied. I actually stood down my system administrator telling him he had no need for a root password on the box -- he could administer the box locally if need be, I didn't trust his security management (passwords were kept in an Excel spreadsheet -- he didn't last long). Alvin humm...smart... why bother have a secret passwd if ya Alvin gonna write it down... oh well... If you administrate XYZ different computer systems, and each computer has a different root password, it can become very difficult to remember all these passwords (especially if you don't regularly use that particular system). This is why God invented ssh RSA key authentication. One passphrase (mine runs better than 25 characters) hits all systems. For one bastion system I accessed, I didn't *know* my user password, having first changed it to some arbitrary 12 character string. pwgen is fun. I've also checked to see that it generates a wide range of generally distinct passwords, and it appears it does (posted recently to bugtraq). So you either run the risk of forgetting a vital password at a vital time, or you write them down somewhere in a safe place. I also use my palm pilot and Cryptinfo. Other options include one-time password generators available as credit cards or key fobs. ...ssh RSA/DSA authentication might be the best solution (assuming you *allow* remote root logins), No. You allow remote unprivileged user logins, and sudo root for specific commands. but only if you always log on from the same trusted computer every time. Not good, for instance, if you accidently break network access to a central server, but can't remember the password to login locally to the console. ...in which case you log in as a local user and grab the password from your secured palm pilot or similar. (Just a thought: perhaps a better solution would be to store these passwords on a computer file, but GPG encrypt them?) Several such utilities exist for GNU/Linux, though I haven't used any myself. Potential problems exist on any shared-memory system. At least a palm pilot is relatively isolated, though this assumption may change. -- Karsten M. Self kmself@ix.netcom.comhttp://kmself.home.netcom.com/ What part of Gestalt don't you understand? There is no K5 cabal http://gestalt-system.sourceforge.net/ http://www.kuro5hin.org Disclaimer: http://www.goldmark.org/jeff/stupid-disclaimers/ pgpsfi7Dkt2Mh.pgp Description: PGP signature
Re: root via ssh / why su - ?
on Tue, Jun 05, 2001 at 08:37:16PM +0200, Hendrik Sattler ([EMAIL PROTECTED]) wrote: Karsten M. Self wrote: If you administrate XYZ different computer systems, and each computer has a different root password, it can become very difficult to remember all these passwords (especially if you don't regularly use that particular system). This is why God invented ssh RSA key authentication. One passphrase (mine runs better than 25 characters) hits all systems. For one bastion system I accessed, I didn't *know* my user password, having first changed it to some arbitrary 12 character string. pwgen is fun. I've also checked to see that it generates a wide range of generally distinct passwords, and it appears it does (posted recently to bugtraq). Then you have some kind of security weakness. One account makes all other mashines accessible. That is same as using the same password everywhere. The only difference: you changed the hacker entry from all mashines to only your mashine but I guess a sshd runs there, too. All secure ways are only less insecure... Please reply to list mail on list unless clearly indicating other intent. Response to list, Reply-to set to list. Security involves balancing risks. How is authenticated, from-a-single-point, revokable access, worse than the practices typically engendered by multiple passwords (often stored insecurely), single passwords shared over multiple systems, and/or shared root accounts. Compromise of a system on which an RSA key is used to access other systems is somewhat analagous to compromise of a system on which multiple passwords are kept, or compromise of a single sharede password. However, the damage is mitigated in that the single system must then be used to launch attacks -- the window afforded is still rather small, and can be isolated at either end (by securing the compromised system or by rejecting acces from it for the other remote systems). In a multiuser environment, if a user is suspect (or his/her access needs to be restricted), removing an allowed-hosts entry is sufficient. I don't know that it's possible to disable password authentication, or to require passphrase authentication (unsecured RSA keys *are* a security threat). -- Karsten M. Self kmself@ix.netcom.comhttp://kmself.home.netcom.com/ What part of Gestalt don't you understand? There is no K5 cabal http://gestalt-system.sourceforge.net/ http://www.kuro5hin.org Disclaimer: http://www.goldmark.org/jeff/stupid-disclaimers/ pgpVYa2ZMDw2M.pgp Description: PGP signature
Re: root via ssh / why su - ?
On Mon, May 28, 2001 at 11:26:06AM -0500, Dave Sherohman wrote: If you've got a PalmPilot, etc., there's a wonderful utility called STRIP (Secure Tool for Remembering Important Passwords) that does just this. It stores and categorizes passwords in an encrypted (either DES or IDEA, depending on which version you download) database. Is there such a utility for a Linux system? I'm in need of one. I currently save some of my passwords (no root passwords, sorry) in a -rwx-- file :) Regards, Alex -- Alex Suzuki | [EMAIL PROTECTED] | http://www.cynox.ch To send me an email, remove NOSPAM from the above address
Re: root via ssh / why su - ?
Alex Suzuki [EMAIL PROTECTED] writes: Is there such a utility for a Linux system? I'm in need of one. I currently save some of my passwords (no root passwords, sorry) in a -rwx-- file :) Have a look at gpasman: $ apt-cache show gpasman Package: gpasman Priority: optional Section: non-US Installed-Size: 50 Maintainer: Jules Bean [EMAIL PROTECTED] Architecture: i386 Version: 1.3.0-1 Depends: libc6 (= 2.1.2), libglib1.2 (= 1.2.0), libgtk1.2 (= 1.2.6-1), xlib6g (= 3.3.5) Filename: dists/woody/non-US/main/binary-i386/gpasman_1.3.0-1.deb Size: 17802 MD5sum: 324980f9205972f44ce31ce26249c4df Description: A password manager Gpasman allows you to manage all the passwords you have. Instead of having to remember every single password you just have to remember your master password and can check with gpasman to get the others. Greetings, joachim
Re: root via ssh / why su - ?
on Sun, May 27, 2001 at 08:13:30AM -0500, ktb ([EMAIL PROTECTED]) wrote: On Sun, May 27, 2001 at 12:39:54PM +0200, Timo Blazko Boewing wrote: Hello! A silly theoretical question: in a ssh thread above, one got the answer *not* to enable root user access to a station, it would be better to use a limited user account and then gain access via su or that. What is the difference between that. Don't I have full admin rights with su? Or if I have, what is the difference? Is it cos a direct root login allows to exploit the sys due to some scripts that get autom. exec'd? I just want to knowcos thus I know why I do things that way :-) I think you have it. You don't want untrusted people to login in as root. To limit sshd to non root accounts makes someone have to work harder to gain root access. kent It's also useful from an audit standpoint on shared systesm to have a user login then a 'su' or 'sudo' to root, rather than connect directly as root remotely. If using sudo (and you should), this also makes managing root access much easier -- you don't have to change a single shared password (and notify everyone using it), you just pull sudo priviledges for the user(s) you want to not have root access moving forward. I've seen mysterious (and bad) things happen on systems which had (very) commonly known root passwords and for which root ssh logins were allowed. That's simply idiotic, and we had the wiped disks to prove it. On my own boxen, root passwords were changed from defaults, and root ssh denied. I actually stood down my system administrator telling him he had no need for a root password on the box -- he could administer the box locally if need be, I didn't trust his security management (passwords were kept in an Excel spreadsheet -- he didn't last long). If he wanted to request my passwords, he could go higher up for the request (and I'd have complied). Higher up didn't trust his judgement either. -- Karsten M. Self kmself@ix.netcom.comhttp://kmself.home.netcom.com/ What part of Gestalt don't you understand? There is no K5 cabal http://gestalt-system.sourceforge.net/ http://www.kuro5hin.org Disclaimer: http://www.goldmark.org/jeff/stupid-disclaimers/ pgpbz7haQ0gXC.pgp Description: PGP signature
Re: root via ssh / why su - ?
hi ya karsten I've seen mysterious (and bad) things happen on systems which had (very) commonly known root passwords and for which root ssh logins were allowed. That's simply idiotic, and we had the wiped disks to prove it. yup inhouse security is more prevelent than from the outside coming in ??? ( guessing ) On my own boxen, root passwords were changed from defaults, and root ssh denied. I actually stood down my system administrator telling him he had no need for a root password on the box -- he could administer the box locally if need be, I didn't trust his security management (passwords were kept in an Excel spreadsheet -- he didn't last long). humm...smart... why bother have a secret passwd if ya gonna write it down... oh well... If he wanted to request my passwords, he could go higher up for the request (and I'd have complied). Higher up didn't trust his judgement either. if he has root passwd etc... whould would he care abut your passwd ?? if he didn't have root pwd and is the system admin that supposed to be responsible and he dont know how to become root... maybe its time for them to get their MSCE certificate updates and a new NT job ?? user passwd should not be affected... it wont matter to a user called root ( or uid == 0 ) shared root passwd is a very bad thing lots of finger pointing the other way. ask mikey... mikey did it!! ... c ya alvin
Re: root via ssh / why su - ?
Alvin == Alvin Oga [EMAIL PROTECTED] writes: On my own boxen, root passwords were changed from defaults, and root ssh denied. I actually stood down my system administrator telling him he had no need for a root password on the box -- he could administer the box locally if need be, I didn't trust his security management (passwords were kept in an Excel spreadsheet -- he didn't last long). Alvin humm...smart... why bother have a secret passwd if ya Alvin gonna write it down... oh well... If you administrate XYZ different computer systems, and each computer has a different root password, it can become very difficult to remember all these passwords (especially if you don't regularly use that particular system). So you either run the risk of forgetting a vital password at a vital time, or you write them down somewhere in a safe place. ...admittedly, I would refrain from writing all my passwords down in the same place. If somebody did manage to get the list, he/she would have access to everything, not just one or two systems! ...also, not sure I would trust Excel, but that is another topic ;-) ...ssh RSA/DSA authentication might be the best solution (assuming you *allow* remote root logins), but only if you always log on from the same trusted computer every time. Not good, for instance, if you accidently break network access to a central server, but can't remember the password to login locally to the console. (Just a thought: perhaps a better solution would be to store these passwords on a computer file, but GPG encrypt them?) -- Brian May [EMAIL PROTECTED]
Re: root via ssh / why su - ?
On Mon, May 28, 2001 at 09:18:17PM +1000, Brian May wrote: (Just a thought: perhaps a better solution would be to store these passwords on a computer file, but GPG encrypt them?) If you've got a PalmPilot, etc., there's a wonderful utility called STRIP (Secure Tool for Remembering Important Passwords) that does just this. It stores and categorizes passwords in an encrypted (either DES or IDEA, depending on which version you download) database. It will also generate passwords for you, but there was a bug discovered about a month and a half ago which results in it only having 64k available random number seeds, making STRIP-generated passwords very vulnerable to a modified dictionary attack. I'm not sure whether this has been fixed yet. -- That's not gibberish... It's Linux. - Byers, The Lone Gunmen Geek Code 3.12: GCS d? s+: a C++ UL$ P+ L+++ E- W--(++) N+ o+ !K w--- O M- V? PS+ PE Y+ PGP t 5++ X+ R++ tv+ b+ DI D G e* h r y+
Re: root via ssh / why su - ?
hi brian yes ... if one is forced, by ones forgetfullyness or really good passwds... i'd write it down and ENCRYPT that file... the assumption is you never forget the passwd or the pass phrase on the ONE machine... and keep a copy of it on another machine so that if you lose the disk/file...you have it store elsewhere in encrypted form... problem now is... if they get your pass phrase they have root passwds to all your servers really really bad and its sorta obvious that encrypted files are important files and i disallow root ssh logins... and i dont allow ssh connections without entering a passwd ... ( there other ways to get the same effect for scripts and there better NOT be any passwd in the scripts either... audit those scripts that your users did ... even if you forget root passwd ...you can always hit ctrl-alt-del and boot into single user mode... though thats another issue of where to allow it or not...and whether single user should be pwd protected or not... endless precautions... c ya alvin On 28 May 2001, Brian May wrote: Alvin == Alvin Oga [EMAIL PROTECTED] writes: On my own boxen, root passwords were changed from defaults, and root ssh denied. I actually stood down my system administrator telling him he had no need for a root password on the box -- he could administer the box locally if need be, I didn't trust his security management (passwords were kept in an Excel spreadsheet -- he didn't last long). Alvin humm...smart... why bother have a secret passwd if ya Alvin gonna write it down... oh well... If you administrate XYZ different computer systems, and each computer has a different root password, it can become very difficult to remember all these passwords (especially if you don't regularly use that particular system). So you either run the risk of forgetting a vital password at a vital time, or you write them down somewhere in a safe place. ...admittedly, I would refrain from writing all my passwords down in the same place. If somebody did manage to get the list, he/she would have access to everything, not just one or two systems! ...also, not sure I would trust Excel, but that is another topic ;-) ...ssh RSA/DSA authentication might be the best solution (assuming you *allow* remote root logins), but only if you always log on from the same trusted computer every time. Not good, for instance, if you accidently break network access to a central server, but can't remember the password to login locally to the console. (Just a thought: perhaps a better solution would be to store these passwords on a computer file, but GPG encrypt them?)
root via ssh / why su - ?
Hello! A silly theoretical question: in a ssh thread above, one got the answer *not* to enable root user access to a station, it would be better to use a limited user account and then gain access via su or that. What is the difference between that. Don't I have full admin rights with su? Or if I have, what is the difference? Is it cos a direct root login allows to exploit the sys due to some scripts that get autom. exec'd? I just want to knowcos thus I know why I do things that way :-) Thanx in advance greetz, Timo Boewing
root via ssh / why su - ?
Hello! A silly theoretical question: in a ssh thread above, one got the answer *not* to enable root user access to a station, it would be better to use a limited user account and then gain access via su or that. What is the difference between that. Don't I have full admin rights with su? Or if I have, what is the difference? Is it cos a direct root login allows to exploit the sys due to some scripts that get autom. exec'd? I just want to knowcos thus I know why I do things that way :-) Thanx in advance greetz, Timo Boewing
Re: root via ssh / why su - ?
On Sun, May 27, 2001 at 12:41:33PM +0200, Timo Blazko Boewing wrote: Hello! A silly theoretical question: in a ssh thread above, one got the answer *not* to enable root user access to a station, it would be better to use a limited user account and then gain access via su or that. What is the difference between that. Don't I have full admin rights with su? Or if I have, what is the difference? Is it cos a direct root login allows to exploit the sys due to some scripts that get autom. exec'd? I just want to knowcos thus I know why I do things that way :-) if someone steals your root password, they have full control over your box. with having remote root logins disabled they have to break in a user account _and_ in the root account. if you're really security minded you should use ssh keys instead of passwords, since passwords can be easier stolen. the advantage of ssh keys is that you need a key _and_ a passphrase to break in for more info, look at the freebsd security manpage (applies to linux too): http://www.freebsd.org/cgi/man.cgi?query=securityapropos=0sektion=0manpath=FreeBSD+5.0-currentformat=html for simple, local servers this might be a bit overkill, so you prolly can get away with only choosing good passwords for root and others -- ,---. Name: Alson van der Meulen Personal: [EMAIL PROTECTED] School: [EMAIL PROTECTED] `---' Say, What does Superblock Error mean, anyhow? -
Re: root via ssh / why su - ?
On Sun, May 27, 2001 at 12:39:54PM +0200, Timo Blazko Boewing wrote: Hello! A silly theoretical question: in a ssh thread above, one got the answer *not* to enable root user access to a station, it would be better to use a limited user account and then gain access via su or that. What is the difference between that. Don't I have full admin rights with su? Or if I have, what is the difference? Is it cos a direct root login allows to exploit the sys due to some scripts that get autom. exec'd? I just want to knowcos thus I know why I do things that way :-) I think you have it. You don't want untrusted people to login in as root. To limit sshd to non root accounts makes someone have to work harder to gain root access. kent -- From seeing and seeing the seeing has become so exhausted First line of The Panther - R. M. Rilke
Re: root via ssh / why su - ?
On Sun, May 27, 2001 at 12:39:54PM +0200, Timo Blazko Boewing wrote: A silly theoretical question: in a ssh thread above, one got the answer *not* to enable root user access to a station, it would be better to use a limited user account and then gain access via su or that. What is the difference between that. Don't I have full admin rights with su? Or if I have, what is the difference? Is it cos a direct root login allows to exploit the sys due to some scripts that get autom. exec'd? I just want to knowcos thus I know why I do things that way :-) Two reasons come to mind: 1) In order to gain remote root access, an attacker must first compromise a user account to log in with. Simply obtaining the root password is not sufficient. 2) It is possible (though not likely) that there may be a little-known technique for sniffing the data sent while establishing an ssh connection. If such a technique were to exist, disabling root logins would ensure that an attacker using it would only get a user password while the root password would remain secure. -- That's not gibberish... It's Linux. - Byers, The Lone Gunmen Geek Code 3.12: GCS d? s+: a C++ UL$ P+ L+++ E- W--(++) N+ o+ !K w--- O M- V? PS+ PE Y+ PGP t 5++ X+ R++ tv+ b+ DI D G e* h r y+