Re: PermitRootLogin=yes versus su

From: richard lucassen (spamtrap@lucassen.org)
Date: 01/26/03

• Next message: Dimitri Maziuk: "Re: PermitRootLogin=yes versus su"
• Previous message: all mail refused: "Re: PermitRootLogin=yes versus su"
• In reply to: Bill Lewis Clark: "PermitRootLogin=yes versus su"
• Next in thread: Dimitri Maziuk: "Re: PermitRootLogin=yes versus su"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 26 Jan 2003 21:34:21 +0100
From: richard lucassen <spamtrap@lucassen.org>

On 26 Jan 2003 09:37:10 -0800
wclark@eden.rutgers.edu (Bill Lewis Clark) wrote:

> A long-standing pet peeve of mine is the nearly universal belief that
> remote root logins via SSH are somehow less secure than connecting as
> a regular user and using su to become root.

> Can anyone come up with some GOOD reasons to prefer su to direct root
> logins?

It's not a question of wondering if you're paranoia, but if you're
paranoia enough ;-)

- I am forced to do as much as possible as a normal user, for
administration purposes I just "su -". Typical "daily" admin things can
be sudoed. Remember admins are very lazy people, so if they get used to
login as root, everything will be done as root ;-)

- getting root access is logged.

- IMHO it's good practice to deny everything, except what you
explicitely allow.

- only the users mentioned after the "AllowUsers" option are allowed to
access the machine, and the user with the name root gets an access
denied. So even when somebody obtains the root-password, he still has to
know the normal user-password. It is just an extra obstacle.

But keep in mind that if it were really dangerous to set
PermitRootLogin=yes, it would not have been the default setting ;-)

Richard.

-- 
___________________________________________________________________
Recursion: see recursion
+------------------------------------------------------------------+
| Richard Lucassen, Utrecht,    Linux 2.4.20 RedHat 7.2            |
| The Netherlands               i686/1200MHz/768MB                 |
| Public key: http://www.xs4all.nl/~pe1bbf/pubkey.asc              |
+------------------------------------------------------------------+

• Next message: Dimitri Maziuk: "Re: PermitRootLogin=yes versus su"
• Previous message: all mail refused: "Re: PermitRootLogin=yes versus su"
• In reply to: Bill Lewis Clark: "PermitRootLogin=yes versus su"
• Next in thread: Dimitri Maziuk: "Re: PermitRootLogin=yes versus su"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: FreeBSD 4.3 RELEASE and -STABLE allows telnet root logins? ... FreeBSD 4.3 RELEASE and -STABLE allows telnet root logins? ... > UNIX is like the sights on a loaded gun. ... (FreeBSD-Security) Re: su using SecurID cards ... use them for all logins to the system. ... anyone with a card to su to root. ... certain logins the ability to become root via rootsh, ... The "approved" fix is to create shadow accounts that have ID 0. ... (alt.os.linux.suse) Re: su using SecurID cards ... use them for all logins to the system. ... anyone with a card to su to root. ... certain logins the ability to become root via rootsh, ... The "approved" fix is to create shadow accounts that have ID 0. ... (alt.os.linux.suse) FW: FW: FW: Adding OpenBSD sudo to the FreeBSD base system? ... Yes, it gives you a huge advantage, assuming you disable direct root ... "> Regarding su vs. direct login, you should use su, it doesn't give ... And if you follow up by disabling direct root logins, ... The biggest advantage of sudo, though, is less security-related and more ... (FreeBSD-Security) Reasoning behind a default remote root login ? ... using ssh. ... remote root logins alltogether. ... Does anyone know why OpenBSD allows remote root ... (comp.unix.bsd.openbsd.misc)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint