PermitRootLogin=yes versus su

From: Bill Lewis Clark (wclark@eden.rutgers.edu)
Date: 01/26/03

• Next message: Roy Smith: "Re: PermitRootLogin=yes versus su"
• Previous message: samjack: "Re: Zonealarm Pro blocks SSH connection"
• Next in thread: Roy Smith: "Re: PermitRootLogin=yes versus su"
• Reply: Roy Smith: "Re: PermitRootLogin=yes versus su"
• Reply: Neil W Rickert: "Re: PermitRootLogin=yes versus su"
• Reply: Ian Gregory: "Re: PermitRootLogin=yes versus su"
• Reply: richard lucassen: "Re: PermitRootLogin=yes versus su"
• Reply: Dimitri Maziuk: "Re: PermitRootLogin=yes versus su"
• Reply: Sebastian Hans: "Re: PermitRootLogin=yes versus su"
• Reply: classical music: "Re: PermitRootLogin=yes versus su"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: wclark@eden.rutgers.edu (Bill Lewis Clark)
Date: 26 Jan 2003 09:37:10 -0800

A long-standing pet peeve of mine is the nearly universal belief that
remote root logins via SSH are somehow less secure than connecting as
a regular user and using su to become root.

Back in the days before strong encryption, when remote access was done
via telnet or rlogin, it made perfect sense to restrict root logins.
In situations where remote root access was absolutely necessary, su
was a reasonable alternative.

However, we now have SSH. Given the option of securely logging into a
machine as root, I don't see the advantage of using su in this
capacity, any longer. In fact, I see several disadvantages.

Logging in directly as root via SSH only leaves the remote account and
SSH protocols as vulnerabilities.

Logging in as a regular user via SSH, then using su to become root,
leaves the remote account, SSH protocols, local regular user account,
and su binary all as potential vulnerabilities.

I don't see how adding more points of vulnerability is an improvement.
 I know that the su method made sense before SSH, but why is it still
considered standard practice? Is it simply inertia?

Can anyone come up with some GOOD reasons to prefer su to direct root
logins?

-Bill

• Next message: Roy Smith: "Re: PermitRootLogin=yes versus su"
• Previous message: samjack: "Re: Zonealarm Pro blocks SSH connection"
• Next in thread: Roy Smith: "Re: PermitRootLogin=yes versus su"
• Reply: Roy Smith: "Re: PermitRootLogin=yes versus su"
• Reply: Neil W Rickert: "Re: PermitRootLogin=yes versus su"
• Reply: Ian Gregory: "Re: PermitRootLogin=yes versus su"
• Reply: richard lucassen: "Re: PermitRootLogin=yes versus su"
• Reply: Dimitri Maziuk: "Re: PermitRootLogin=yes versus su"
• Reply: Sebastian Hans: "Re: PermitRootLogin=yes versus su"
• Reply: classical music: "Re: PermitRootLogin=yes versus su"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: PermitRootLogin=yes versus su ... > a regular user and using su to become root. ... > Back in the days before strong encryption, when remote access was done ... > However, we now have SSH. ... (comp.security.ssh) Reasoning behind a default remote root login ? ... using ssh. ... remote root logins alltogether. ... Does anyone know why OpenBSD allows remote root ... (comp.unix.bsd.openbsd.misc) RE: Linux hacked ... Also, what exactly did the history file show, can you paste it into a mail ... > First let me say I'm a security novice. ... > been unsuccessful in getting root back. ... > via ssh but you could su in once logged in as one of three users. ... (Security-Basics) Re: FTP and SSH access question ... trojaned the vsftp daemon on the remote machine to allow root access ... (with a set password). ... I don't have the root password to ... use with a sudo command (via SSH or anything else). ... (comp.os.linux.security) Re: Linux hacked ... To find out what kernel version you are running, type "uname -a" without ... > been unsuccessful in getting root back. ... > via ssh but you could su in once logged in as one of three users. ... (Security-Basics)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint