Re: Why restrict root logins?

Tue, 25 Sep 2001 19:23:43 -0700 


         I would have to concur on that point.  In an environment  were you 
have multiple
         admins you need accountability and many times it is required by 
law that you do so.
         Not so much about tracking someone who did something wrong, but 
there are many
         laws and legal regulations that just require you to keep this type 
of information....
         and "they" do check on occasion.

         There is only one problem I have seen with this 
....Xforwarding.  The steps to get
         Xforwarding to work via ssh after a user "su's to root" is pretty 
ugly.

         So this brings up another point....does anyone have  a good 
procedure that would
         allow folks to SU to root either via sudo or just plain su and 
still be able to forward
         X traffic through SSH?


-Todd Wilkinson
[EMAIL PROTECTED]





At 02:31 PM 9/25/01 -0400, Greg A. Woods wrote:
>[ On Tuesday, September 25, 2001 at 11:59:45 (-0400), Edward Lewis wrote: ]
> > Subject: Why restrict root logins?
> >
> > I have been asked about the rationale behind restricting direct root logins
> > via SSH.  (There is a sshd configuration option on this.)  Is there a
> > document that lists the reason why this exists?
>
>Because generally speaking the "root" account is a shared account, and
>without accountability to match system activities to a real-world person
>there is no security (possible, by definition).
>
>You don't really need to restrict root logins if only one person knows
>the root password (or other authentication token) since then you know
>who the real person is using the "root" account.
>
>However there's some benefit percieved by some people in requiring two
>authentication steps to get to superuser access (i.e. normal user login,
>followed by 'su').
>
>--
>                                                         Greg A. Woods
>
>+1 416 218-0098      VE3TCP      <[EMAIL PROTECTED]>     <[EMAIL PROTECTED]>
>Planix, Inc. <[EMAIL PROTECTED]>;   Secrets of the Weird <[EMAIL PROTECTED]>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to