[ On Tuesday, September 25, 2001 at 11:59:45 (-0400), Edward Lewis wrote: ]
> Subject: Why restrict root logins?
>
> I have been asked about the rationale behind restricting direct root logins
> via SSH. (There is a sshd configuration option on this.) Is there a
> document that lists the reason why this exists?
Because generally speaking the "root" account is a shared account, and
without accountability to match system activities to a real-world person
there is no security (possible, by definition).
You don't really need to restrict root logins if only one person knows
the root password (or other authentication token) since then you know
who the real person is using the "root" account.
However there's some benefit percieved by some people in requiring two
authentication steps to get to superuser access (i.e. normal user login,
followed by 'su').
--
Greg A. Woods
+1 416 218-0098 VE3TCP <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
