John Galt [EMAIL PROTECTED] writes:
that's what happened--the EPIC hole gave user. monkey.org (Dug Song) was
using standard security practice at that point, it's just for
convenience's sake, the user had a few things screened, including a
rootshell, probably because of the traditional
Hi all
Messing up with sshd_config for all the privsep stuff, I've noticed that
PermitRootLogin was set to yes in my three woody boxes. I usually
consider this a problem (although it has been my fault - i should have
checked and noticed this much time ago). What do you think of this?
IMHO, we'd
Is
there any landscape in which you may want to allow direct
root login to
your host?
I allow it to my firewall, since there isnt any other account on there. but
then again, that system only listens to my internal interfaces.. So, not
typical maybe?
--
To UNSUBSCRIBE, email to [EMAIL
On Wed, Jun 26, 2002 at 02:11:00PM +0200, InfoEmergencias - Luis G?mez wrote:
IMHO, we'd better set it to no. I always thought it was much better. Is
there any landscape in which you may want to allow direct root login to
your host?
rsync where you want to keep userid/groupid info.
--
I tend to set it to without-password to allow a remote root entry only
via RSA/DSA keys, also making sure to restrict it further with as many
applicable options for AuthorizedKeysFile ( man sshd )
This is done as a restricated remote root backdoor as well as automated
network backups via dump
On Wed, Jun 26, 2002 at 02:11:00PM +0200 or thereabouts, InfoEmergencias - Luis
Gómez wrote:
Messing up with sshd_config for all the privsep stuff, I've noticed that
PermitRootLogin was set to yes in my three woody boxes. I usually
consider this a problem (although it has been my fault - i
On Wed, Jun 26, 2002 at 04:05:58PM +0200, Christoph Ulrich Scholler wrote:
On Wed, Jun 26, 2002 at 02:11:00PM +0200 or thereabouts, InfoEmergencias -
Luis Gómez wrote:
Messing up with sshd_config for all the privsep stuff, I've noticed that
PermitRootLogin was set to yes in my three woody
Simon Kirby [EMAIL PROTECTED] writes:
Using su root later is worse than just logging in as root with a key.
I cannot understand why using su root later would be worse. Can you
enlighten me?
--
Christian Egli
wyona: research development
http://www.wyona.com
--
To UNSUBSCRIBE, email to
On Wed, Jun 26, 2002 at 04:05:58PM +0200, Christoph Ulrich Scholler wrote:
On Wed, Jun 26, 2002 at 02:11:00PM +0200 or thereabouts,
InfoEmergencias - Luis Gómez wrote:
Messing up with sshd_config for all the privsep stuff, I've noticed that
PermitRootLogin was set to yes in my three woody
On Wed, Jun 26, 2002 at 05:08:32PM +0200, Christian Egli wrote:
Simon Kirby [EMAIL PROTECTED] writes:
Using su root later is worse than just logging in as root with a key.
I cannot understand why using su root later would be worse. Can you
enlighten me?
Sure.
In all cases, you always
On Wed, Jun 26, 2002 at 02:11:00PM +0200, InfoEmergencias - Luis Gómez wrote:
IMHO, we'd better set it to no. I always thought it was much better. Is
there any landscape in which you may want to allow direct root login to
your host?
Yes, there is. For example I have some servers that retrieve
El mié, 26-06-2002 a las 16:39, Sebastian Rittau escribió:
Yes, there is. For example I have some servers that retrieve their user
information from a database. If the database is not reachable, an
ordinary user can't login, but root can, since it's the only local
account with login privileges.
Sebastian Rittau [EMAIL PROTECTED] writes:
On Wed, Jun 26, 2002 at 02:11:00PM +0200, InfoEmergencias - Luis Gómez wrote:
IMHO, we'd better set it to no. I always thought it was much better. Is
there any landscape in which you may want to allow direct root login to
your host?
Yes,
I think there may be a compromise solution here...
In short: it is good to make people log in as a normal user before trying
to log in as root, because that way an attacker needs to compromise a
normal user before starting on root. The standard way of doing this is
to use su, but that only
On Wed, Jun 26, 2002 at 02:11:00PM +0200, InfoEmergencias - Luis Gómez wrote:
Hi all
Messing up with sshd_config for all the privsep stuff, I've noticed that
PermitRootLogin was set to yes in my three woody boxes. I usually
consider this a problem (although it has been my fault - i should
That's how monkey.org got taken over--they SCREENed a su, and the attacker
reattached it after getting as user via EPIC...
On 26 Jun 2002, Christian Egli wrote:
Simon Kirby [EMAIL PROTECTED] writes:
Using su root later is worse than just logging in as root with a key.
I cannot understand
On Wed, Jun 26, 2002 at 02:11:00PM +0200, InfoEmergencias - Luis Gómez wrote:
Hi all
Messing up with sshd_config for all the privsep stuff, I've noticed that
PermitRootLogin was set to yes in my three woody boxes. I usually
consider this a problem (although it has been my fault - i should
hi all
if an attacker got in ... as a user game over... they got in ???
- question is what damage can they do as user ...
if an attacker get in the same way as root... game is really over...
as they now have complete control of yoru machine..
- i prefer to disallow root
hi ya
in order to update 10, 100 boxes ... with new setof changes..
you do NOT need to login into any of um ... many different ways to update
each target box based on some master distribution server
-- you do want to test the updates in a test farm before it goes out to
production and
Alvin,
If the cracker can get in as a user, it's merely a matter of time before they
can worm their way into becoming root. Defenses against this are difficult, the
NSA version SELinux deliberately places great restrictions on user abilities
to try to prevent just such things. But I don't
On Wed, 26 Jun 2002, Alvin Oga wrote:
hi all
if an attacker got in ... as a user game over... they got in ???
- question is what damage can they do as user ...
that's what happened--the EPIC hole gave user. monkey.org (Dug Song) was
using standard security practice at that
Travis Cole [EMAIL PROTECTED] writes:
On Wed, Jun 26, 2002 at 02:11:00PM +0200, InfoEmergencias - Luis Gómez wrote:
Hi all
Messing up with sshd_config for all the privsep stuff, I've
noticed that PermitRootLogin was set to yes in my three woody
boxes. I usually consider this a
hi ya john
On Wed, 26 Jun 2002, John Galt wrote:
On Wed, 26 Jun 2002, Alvin Oga wrote:
if an attacker got in ... as a user game over... they got in ???
- question is what damage can they do as user ...
that's what happened--the EPIC hole gave user. monkey.org (Dug Song) was
23 matches
Mail list logo