Re: SSH as root

From: John Brightwell (brightwell_151_at_yahoo.co.uk)
Date: 07/04/03

  • Next message: Greg A. Woods: "Re: SSH as root"
    Date: Fri, 4 Jul 2003 11:11:38 +0100 (BST)
    To: secureshell@securityfocus.com
    
    

    I think that there's an advantage in letting people
    ssh as root ... but I'm talking about using an
    authorized_keys file (not root itself).

    i.e. People use their own authentication but ssh -l
    root (and if their key is in the authorized_keys file
    they get in).

    The login creates a proper audit trail (the ssh log
    shows that the user logged in as root) and the user
    doesn't have to use (or remember) the root password.

    In this way the root password can be a complex
    password and doesn't need to be bandied about. Admins
    aren't tempted to use the same root password for
    multiple systems.

    The root password can be kept under lock and key (or
    strong encryption) and only used for emergencies ...
    such as, if the ssh daemon isn't running and the
    sysadmin has to su at the console.

    Root password maintenance and security is a problem in
    many companies - admins either have to remember lots
    of passwords, or they use the same one for multiple
    systems or (and I've seen this) they write them down
    on a piece of paper or stick them in an excel
    spreadsheet!

    In any of the above you can be sure that the password
    won't be particularly complex and probably won't be
    changed very often.

    Phew... bit of a rant ... sorry bout that

    Anyway ... that's what I've proposed previously, if
    there's a fly in the ointment I'm keen to hear about
    it.

    Thanks

    > -----Original Message-----
    > From: Jim Prewett [mailto:download@hpc.unm.edu]
    > Sent: 03 July 2003 20:36
    > To: Paul Bauer
    > Cc: secureshell@securityfocus.com
    > Subject: Re: SSH as root
    >
    >
    >
    > In my opinion, not allowing ssh as root gives you
    more accountability
    > (who is using root privs?); You get things like
    su/sudo logs that can
    > really help in tracking things down.
    >
    > I don't think that it is a security risk, but more
    of an
    > accountability
    > risk (eg. some root removed the filesystem, but I
    don't know
    > which of my
    > co-root users did that!)
    >
    > Jim

    __________________________________________________
    Yahoo! Plus - For a better Internet experience
    http://uk.promotions.yahoo.com/yplus/yoffer.html


  • Next message: Greg A. Woods: "Re: SSH as root"

    Relevant Pages

    • RE: Linux hacked
      ... Also, what exactly did the history file show, can you paste it into a mail ... > First let me say I'm a security novice. ... > been unsuccessful in getting root back. ... > via ssh but you could su in once logged in as one of three users. ...
      (Security-Basics)
    • Re: Linux hacked
      ... To find out what kernel version you are running, type "uname -a" without ... > been unsuccessful in getting root back. ... > via ssh but you could su in once logged in as one of three users. ...
      (Security-Basics)
    • Re: Things Linux Can Do Without
      ... root password, for example h1b32pp2m33, disable logon of root vis SSH ... already knows the username. ...
      (comp.os.linux.misc)
    • Re: X11Forwarding, ssh -X, and /bin/su
      ... ]>but I'm not really tunneled using ssh then, ... ]connecting to the X server and have the home directory NFS-mounted ... ](unless you leave root unmapped over NFS, ... ]root-readable place and set the environment $XAUTHORITY variable ...
      (comp.security.ssh)
    • RE: Linux hacked
      ... hack the box, pull the drive and save it. ... Use the newest versions of Gentoo, Apache, SSH, PHP and Squirl Mail. ... been unsuccessful in getting root back. ... I found a hidden directory /var/tmp/.tmp that has a bunch of directories ...
      (Security-Basics)