Re: PermitRootLogin=yes versus su

From: Neil W Rickert (rickert+nn@cs.niu.edu)
Date: 01/27/03 

From: Neil W Rickert <rickert+nn@cs.niu.edu>
Date: 27 Jan 2003 04:58:23 GMT

wclark@eden.rutgers.edu (Bill Lewis Clark) writes:
>Neil W Rickert <rickert+nn@cs.niu.edu> wrote in message news:<b117m6$gj7$1@husk.cso.niu.edu>...

>> I don't think this was ever a matter of vulnerabilities (even with
>> telnet logins). It is a matter of leaving a clearer trail as to who
>> logged in as root.

>I do think vulnerability played at least some significant role in the
>days of telnet (I knew many admins who would "dilly-dally" around
>somewhat before executing su, simply to make would-be password packet
>sniffers scan through that many more packets, or miss the password
>entirely.)

>However, you make a good point in that telnet had none of the nice
>auditing/logging features that SSH sports.

>On the other hand, given the clear audit trail left by SSH, I still
>don't see the need for su in these situations.

The "clear audit trail left by SSH" is often not so clear.

Yes, I do sometimes login as root with SSH. But I do so only from a
limited set of machines. If I am working from home, on a dynamic IP,
I normally first log into my office system (with ssh-agent
forwarding). From their I might consider logging in as root to one
of the systems I administer. But I don't want to login as root
directly from home, because I want people to be suspicious of any
root login from an unexpected site.