But if the already have your root password they already have the smarts to
changes things after they are done. Editing wtmp/utmp syslogs is not
terribily difficult... also satan/et al should be able to determine
if/when files where changed and really smart admins write syslogs to a
remote machine with limited access for ONLY syslogs.
--
Paul Farber
Farber Technology
[EMAIL PROTECTED]
Ph 570-628-5303
Fax 570-628-5545
On Tue, 25 Sep 2001, Roberto L Iriarte wrote:
> One of the most said reasons not to login as root is accountability.
>
> If you have to login with another account and then su to root, then is
> much easier to know who did anything with the root account.
>
> At 01:02 PM 9/25/2001 -0400, Edward Lewis wrote:
> > From my experience, even if I am root at one box, I still need to supply
> >the root password at the other box. (I don't mean to argue, but I am
> >trying to make sure I understand the point.) Are you saying that the root
> >key for another machine might be on the current machine? If so, isn't that
> >just bad password management?
> >
> >At 12:19 PM -0400 9/25/01, [EMAIL PROTECTED] wrote:
> > >Because, if a hacker gets on one box that has a root key to another
> > >machine, it's all over.
> > >
> > >On Tue, 25 Sep 2001, Edward Lewis wrote:
> > >
> > >> I have been asked about the rationale behind restricting direct root
> > logins
> > >> via SSH. (There is a sshd configuration option on this.) Is there a
> > >> document that lists the reason why this exists?
> > >>
> > >> In absence of that, if folks want to contribute technical reasons why one
> > >> should restrict root logins, I would appreaciate input. Since this might
> > >> be a topic in which feelings run deep, off-list is probably better and
> > I'll
> > >> summarize.
> >
> >-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> >Edward Lewis NAI Labs
> >Phone: +1 443-259-2352 Email: [EMAIL PROTECTED]
> >
> >You fly too often when ... the airport taxi is on speed-dial.
> >
> >Opinions expressed are property of my evil twin, not my employer.
> >
> >
> >
> >---------------------------------------------------------------------
> >To unsubscribe, e-mail: [EMAIL PROTECTED]
> >For additional commands, e-mail: [EMAIL PROTECTED]
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
