RE: Allowing remote root login seems to be bad. Why?


I think Ron is totally right, logging is very important, not in order to
know who to blame for in case of trouble but just in order to have
visibility on your system, Logs can be really verbose, no need to
concatenate that under only one user.

I wish to add something though. Sudo allows a non-privileged user to
substantially and temporary (not more than a command-line) take Root right,
sudo is also fully configurable to only allow this features for some
restricted things (restarting only apache and mysql deamon for example), if
operators have limited tasks and action field, no need for them to have full
access, this may only cause more damage.

Limiting Root access level in a multi managed environment is really
important if you don't wanna go mad.



-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Mario Platt
Sent: Monday, June 02, 2008 5:36 PM
To: Ron Arts
Cc: secureshell@xxxxxxxxxxxxxxxxx
Subject: Re: Allowing remote root login seems to be bad. Why?


Well in my opinion, debian guys are right, and for one reason only: Logging.
If you login the machine with root, and everyone does it as well, you
will never know who is doing what. In the case of your machine being
only administered by yourself, and you have no sudo policies, it all
ends up being the same... mas in a multi admin environment, I think
it's an absolute must...

On Mon, Jun 2, 2008 at 9:29 AM, Ron Arts <ron@xxxxxxxxxxxxxx> wrote:

today I found that different Linux distributions have various
policies regarding allowing remote root access. For example,
The Redhat/Fedora crowd seems to enable this on default installs,
but the Debian/Ubuntu don't, they recommend sudo.

I googled around but could not find why fedora allows it, and the
debian people just seem to have one reason: 'allowing remote root
access is bad, everybody knows that'.

Suppose I ensure that root has a very strong password, then does
it really matter either way?


Attachment: smime.p7s
Description: S/MIME cryptographic signature

Relevant Pages

  • Re: Choosing a distribution
    ... 'sudo bash' where I haven't had a proper root account to work with. ... cracked and hence give the intruder root access. ...
  • Re: Change Permissions on a new hard drive to allow write...Problem Solved
    ... Please tell how I could have solved the problem without logging in as ... You'd use sudo or one of its graphical derivatives, ... Those three commands could have been used to do everything you did ... logging in as root. ...
  • Re: macports
    ... Only if he is logging in as root or doing something silly like `sudo su` ... read posts from Google Groups. ...
  • Re: How workable is Vista?
    ... as administrator, you have to give explicit permission to change ... This is like "sudo" in UNIX. ... For example, under Linux, I'm always logged in as root. ... If you are using Linux as a server, and most of your work is administration that requires root privileges, then logging in as root makes some sense, but even then you are best logging in as a user and using su on your shell. ...
  • Re: shell script automatically logging in...
    ... | I'm new at shell scripting and don't really have the time to learn it ... | ...Now logged in as root ... suiting this needs - even changed my sudo editor in the process :-), ... logging in between machines or just within the same machine. ...