>From someone who manages a fair amount of Unix servers I have found it
is difficult to keep track multiple root passwords across the server
farm. Inevitably you will end up writing the password down and leaving
it someplace where others can access it. Passing multiple roots out to
multiple boxes also creates a headache every time someone leaves the
company.
I have found the best practice is to keep the root password to a select
few, and give others who need access sudo. Always work with the amount
of permissions you need to get the job done. If you don't need to be
logged in as root don't be. It's a little cheesy but the old saying "an
ounce of prevention is worth a pound of cure".
Furthermore you never know what kind of keystroke capture software could
be on a machine in the field...no sense in "giving" away root to your
system. In larger organizations you are going to find that most of your
attacks come from inside the firewall...
-----Original Message-----
From: Edward Lewis [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, September 25, 2001 1:03 PM
To: [EMAIL PROTECTED]
Cc: Edward Lewis; [EMAIL PROTECTED]
Subject: Re: Why restrict root logins?
>From my experience, even if I am root at one box, I still need to supply
the root password at the other box. (I don't mean to argue, but I am
trying to make sure I understand the point.) Are you saying that the
root
key for another machine might be on the current machine? If so, isn't
that
just bad password management?
At 12:19 PM -0400 9/25/01, [EMAIL PROTECTED] wrote:
>Because, if a hacker gets on one box that has a root key to another
>machine, it's all over.
>
>On Tue, 25 Sep 2001, Edward Lewis wrote:
>
>> I have been asked about the rationale behind restricting direct root
logins
>> via SSH. (There is a sshd configuration option on this.) Is there a
>> document that lists the reason why this exists?
>>
>> In absence of that, if folks want to contribute technical reasons why
one
>> should restrict root logins, I would appreaciate input. Since this
might
>> be a topic in which feelings run deep, off-list is probably better
and I'll
>> summarize.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis NAI Labs
Phone: +1 443-259-2352 Email: [EMAIL PROTECTED]
You fly too often when ... the airport taxi is on speed-dial.
Opinions expressed are property of my evil twin, not my employer.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
