Re: changing root account name
From: Kutulu (kutulu@kutulu.org)Date: 11/05/01
- Previous message: Jose Nazario: "Re: Over-procedurizing as a security risk"
- In reply to: UnixHQ BugTraq Archive: "RE: changing root account name"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 5 Nov 2001 12:02:38 -0500 From: Kutulu <kutulu@kutulu.org> To: UnixHQ BugTraq Archive <bugtraq@UnixHQ.org> Subject: Re: changing root account name Message-ID: <20011105120238.B94984@pr0n.kutulu.org>
On Sat, Nov 03, 2001 at 11:51:36AM -0600, UnixHQ BugTraq Archive wrote:
> > Is there a reason that you even consider allowing root access from a remote
> > workstation?
> At the moment I have 25+ Linux 'workstations' that I admin, soon to be
> around 50->60 when I get another lab. I allow remote root logins from the IP
> block that I've been assigned. Sure it's a *major* security risk, and I
A bit off-topic from the original message, but, if you aren't already:
Have you considered just running OpenSSH with 'PermitRootLogin without-password' set? This permits you to log in as root, but
only via DSA public-key encryption. This setup is pretty much just as secure as SSH'ing in as a user and using 'su' (assuming
you use SSHv2), in that anyone who can brute-force decrypt the DSA key for root can also probably locate and decrypt the
password in the cipher stream immediately after 'su<enter>'. And you can restrict the public key to certain source
addresses, etc.
--K
- Previous message: Jose Nazario: "Re: Over-procedurizing as a security risk"
- In reply to: UnixHQ BugTraq Archive: "RE: changing root account name"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
