Re: SSH as root
From: John Brightwell (brightwell_151_at_yahoo.co.uk)
Date: Fri, 4 Jul 2003 11:11:38 +0100 (BST) To: firstname.lastname@example.org
I think that there's an advantage in letting people
ssh as root ... but I'm talking about using an
authorized_keys file (not root itself).
i.e. People use their own authentication but ssh -l
root (and if their key is in the authorized_keys file
they get in).
The login creates a proper audit trail (the ssh log
shows that the user logged in as root) and the user
doesn't have to use (or remember) the root password.
In this way the root password can be a complex
password and doesn't need to be bandied about. Admins
aren't tempted to use the same root password for
The root password can be kept under lock and key (or
strong encryption) and only used for emergencies ...
such as, if the ssh daemon isn't running and the
sysadmin has to su at the console.
Root password maintenance and security is a problem in
many companies - admins either have to remember lots
of passwords, or they use the same one for multiple
systems or (and I've seen this) they write them down
on a piece of paper or stick them in an excel
In any of the above you can be sure that the password
won't be particularly complex and probably won't be
changed very often.
Phew... bit of a rant ... sorry bout that
Anyway ... that's what I've proposed previously, if
there's a fly in the ointment I'm keen to hear about
> -----Original Message-----
> From: Jim Prewett [mailto:email@example.com]
> Sent: 03 July 2003 20:36
> To: Paul Bauer
> Cc: firstname.lastname@example.org
> Subject: Re: SSH as root
> In my opinion, not allowing ssh as root gives you
> (who is using root privs?); You get things like
su/sudo logs that can
> really help in tracking things down.
> I don't think that it is a security risk, but more
> risk (eg. some root removed the filesystem, but I
> which of my
> co-root users did that!)
Yahoo! Plus - For a better Internet experience