Re: SSH as root

From: John Brightwell (
Date: 07/04/03

  • Next message: Greg A. Woods: "Re: SSH as root"
    Date: Fri, 4 Jul 2003 11:11:38 +0100 (BST)

    I think that there's an advantage in letting people
    ssh as root ... but I'm talking about using an
    authorized_keys file (not root itself).

    i.e. People use their own authentication but ssh -l
    root (and if their key is in the authorized_keys file
    they get in).

    The login creates a proper audit trail (the ssh log
    shows that the user logged in as root) and the user
    doesn't have to use (or remember) the root password.

    In this way the root password can be a complex
    password and doesn't need to be bandied about. Admins
    aren't tempted to use the same root password for
    multiple systems.

    The root password can be kept under lock and key (or
    strong encryption) and only used for emergencies ...
    such as, if the ssh daemon isn't running and the
    sysadmin has to su at the console.

    Root password maintenance and security is a problem in
    many companies - admins either have to remember lots
    of passwords, or they use the same one for multiple
    systems or (and I've seen this) they write them down
    on a piece of paper or stick them in an excel

    In any of the above you can be sure that the password
    won't be particularly complex and probably won't be
    changed very often.

    Phew... bit of a rant ... sorry bout that

    Anyway ... that's what I've proposed previously, if
    there's a fly in the ointment I'm keen to hear about


    > -----Original Message-----
    > From: Jim Prewett []
    > Sent: 03 July 2003 20:36
    > To: Paul Bauer
    > Cc:
    > Subject: Re: SSH as root
    > In my opinion, not allowing ssh as root gives you
    more accountability
    > (who is using root privs?); You get things like
    su/sudo logs that can
    > really help in tracking things down.
    > I don't think that it is a security risk, but more
    of an
    > accountability
    > risk (eg. some root removed the filesystem, but I
    don't know
    > which of my
    > co-root users did that!)
    > Jim

    Yahoo! Plus - For a better Internet experience

  • Next message: Greg A. Woods: "Re: SSH as root"