Re: Allowing remote root login seems to be bad. Why? (SUMMARY)

If I may chime in a bit late...

On Tue, 2008-06-03 at 13:18 -0700, Ben Ford wrote:
Very weak security model.

I think it deserves more credit than that. This will neutralize most
attacks where the attacker doesn't know what IP address you do or don't
allow in.

On Wed, 2008-06-04 at 08:51 +0200, Ron Arts wrote:
Stated differently: will dictionary attacks always succeed?

It depends on the dictionary :) but to generalize: every password can be guessed.

On Fri, 2008-06-06 at 03:17 -0700, Bond Masuda wrote:
In my experience, using public key authentication is often more of a
security risk, depending on the situation. If the remote machine that
holds the private key (and some store this with no password for
convenience) is compromised, they immediately have an open door into
your server. You may have no control how passwords are enforced,
are applied, or if any security is implemented on the remote end.
Setting up public key authentication, in effect extends your "trust
domain" to a server that may not be so trust worthy. To me, it makes
more sense to rely on security I can control. (which is often not the
case if it is some other user's office desktop or workstation)


I just want to point out that the same argument can usually be applied
to password-based authentication. There are a number of ways that a
compromised workstation will compromise their password, too: keyloggers
being the first that comes to mind. I bet there's a lot more malware
out there that looks for passwords going into password fields than
malware that looks for private keys.

I guess it could go either way, but I still think you've got better odds
with key-based authentication.

On Mon, 2008-06-02 at 10:29 +0200, Ron Arts wrote:

<Ron's original post>

To respond to your original question, Ron, consider that security is
not a switch but a scale. There's always things you could be doing
better, or worse. Usually the biggest thing to consider is risk versus
inconvenience, because security almost always comes at the cost of

If you're looking for an academic answer to why remote root login is
bad, it's been answered a few times over: it's not bad, but it could be
better. Non-privileged login + sudo means having to guess a username
+password combination, plus a second password, as opposed to having to
just guess a password.

If you're interested in a more practical answer, consider the how
inconvenient it is to have to login as jdoe and then su into root. In
my opinion, it's not. It takes me an extra 3 or 4 seconds at the
beginning of an SSH session. Whenever I have the choice, I stick with
no root login because the gain is high, the cost is low. So I guess my
response to "Why" is "Why not?"

Hope that was beneficial,