> > Good security practice tells us that you shouldn't be logging in
> > *remotely* as root.
>
> I knew that was true for telnet due to interception during the
> authentication phase, but I don't see how ssh is affected by the same
> problem due to the encrypted pre-connection authentication phase that
> it has.
>
> Also, our billing system has to autonomously log in as root remotely
> to some of our other servers because it is very difficult to automate
> it by logging in as a normal user and then suing to root. If you an
> easy way to do it using perl, I'd like to hear it :)
When using a secure telnet or secure shell connection, the reason you
should not log in directly as 'root' is for auditing purposes. You
want to know who has logged in as root. The easiest way to do this is
to create additional account names with root privileges (uid 0).
If you were using Kerberos as your authentication mechanism you wouls
simply authenticate to the host with your personal Kerberos
credentials but request login as 'root'. The host would then check to
see whether or not you are authorized to login as 'root' based upon
the crednetials you delivered.
The TLS Telnetd that Peter Runestig and I support provide
for a similar functionaity with X.509 client certs. You authenticate
to telnetd by presenting a client cert and requesting an account to
login as. If you are authenticated (by verifying the cert) and have
authorization to login as 'root', then you are logged in as 'root',
but only after an entry to the logs indicating that JOHN_DOE logged in
as "root'.
The other reason for not logging in as "root" really comes down to the
reason why you should never send passwords across the net. You may
not be able to trust the host. If the host has been compromised you
do not want to hand to it your credentials in a form that can be used
for further attacks.
Jeffrey Altman * Sr.Software Designer C-Kermit 7.1 Alpha available
The Kermit Project @ Columbia University includes Secure Telnet and FTP
http://www.kermit-project.org/ using Kerberos, SRP, and
[EMAIL PROTECTED] OpenSSL. SSH soon to follow.
