The real point is for non-volatile situation accountability. If they already
have access and they have root pass, then there's nothing stoping them.
Hell, if they have access to the system at all, there's almost nothing
stoping them, depending on skills.
--
Austin Gonyou
Systems Architect, CCNA
Coremetrics, Inc.
Phone: 512-796-9023
email: [EMAIL PROTECTED]
> -----Original Message-----
> From: Paul Farber [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, September 25, 2001 4:05 PM
> To: Roberto L Iriarte
> Cc: Edward Lewis; [EMAIL PROTECTED]
> Subject: Re: Why restrict root logins?
>
>
> But if the already have your root password they already have
> the smarts to
> changes things after they are done. Editing wtmp/utmp syslogs is not
> terribily difficult... also satan/et al should be able to determine
> if/when files where changed and really smart admins write syslogs to a
> remote machine with limited access for ONLY syslogs.
>
> --
> Paul Farber
> Farber Technology
> [EMAIL PROTECTED]
> Ph 570-628-5303
> Fax 570-628-5545
>
> On Tue, 25 Sep 2001, Roberto L Iriarte wrote:
>
> > One of the most said reasons not to login as root is accountability.
> >
> > If you have to login with another account and then su to
> root, then is
> > much easier to know who did anything with the root account.
> >
> > At 01:02 PM 9/25/2001 -0400, Edward Lewis wrote:
> > > From my experience, even if I am root at one box, I still
> need to supply
> > >the root password at the other box. (I don't mean to
> argue, but I am
> > >trying to make sure I understand the point.) Are you
> saying that the root
> > >key for another machine might be on the current machine?
> If so, isn't that
> > >just bad password management?
> > >
> > >At 12:19 PM -0400 9/25/01, [EMAIL PROTECTED] wrote:
> > > >Because, if a hacker gets on one box that has a root key
> to another
> > > >machine, it's all over.
> > > >
> > > >On Tue, 25 Sep 2001, Edward Lewis wrote:
> > > >
> > > >> I have been asked about the rationale behind
> restricting direct root
> > > logins
> > > >> via SSH. (There is a sshd configuration option on
> this.) Is there a
> > > >> document that lists the reason why this exists?
> > > >>
> > > >> In absence of that, if folks want to contribute
> technical reasons why one
> > > >> should restrict root logins, I would appreaciate
> input. Since this might
> > > >> be a topic in which feelings run deep, off-list is
> probably better and
> > > I'll
> > > >> summarize.
> > >
> >
> >-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> > >Edward Lewis
> NAI Labs
> > >Phone: +1 443-259-2352 Email:
> [EMAIL PROTECTED]
> > >
> > >You fly too often when ... the airport taxi is on speed-dial.
> > >
> > >Opinions expressed are property of my evil twin, not my employer.
> > >
> > >
> > >
> >
> >---------------------------------------------------------------------
> > >To unsubscribe, e-mail: [EMAIL PROTECTED]
> > >For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
