Re: PermitRootLogin=yes versus su

From: Kyler Laird (Kyler@news.Lairds.org)
Date: 01/30/03


From: Kyler Laird <Kyler@news.Lairds.org>
Date: Thu, 30 Jan 2003 16:23:26 GMT

ndescripto@yahoo.com (classical music) writes:

>If root login is
>disabled attacker needs to know user name on the system before
>attempting to login.

There are ways to mix the two approaches.

PermitRootLogin is not tied to "root". It controls login by
anyone with UID 0. You could easily make a "secretroot" account
for use when logging in remotely. Leaving the "root" account
around might be necessary for local use (like when a disk goes
bad) though.

Another possibility is to turn off PermitRootLogin and create an
account with a non-zero UID which simply (logs the key used and
then) does the ol' "sudo bash" trick.

I'm not sure how I feel about using such tricks, but I can see
that they might have a place in some organizations.

>With root login enabled you are
>vulnerable to brute force attack.

Well, you can still brute force attack a password *and* a login,
but it's significantly more difficult. It also requires knowing
that you need to do so.

--kyler



Relevant Pages