Re: PermitRootLogin=yes versus su
From: Kyler Laird (Kyler@news.Lairds.org)
Date: 01/30/03
- Next message: Nick: "Re: PuTTYgen just to convert OpenSSH into PuTTY-Format"
- Previous message: Neil W Rickert: "Re: PuTTYgen just to convert OpenSSH into PuTTY-Format"
- In reply to: classical music: "Re: PermitRootLogin=yes versus su"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Kyler Laird <Kyler@news.Lairds.org> Date: Thu, 30 Jan 2003 16:23:26 GMT
ndescripto@yahoo.com (classical music) writes:
>If root login is
>disabled attacker needs to know user name on the system before
>attempting to login.
There are ways to mix the two approaches.
PermitRootLogin is not tied to "root". It controls login by
anyone with UID 0. You could easily make a "secretroot" account
for use when logging in remotely. Leaving the "root" account
around might be necessary for local use (like when a disk goes
bad) though.
Another possibility is to turn off PermitRootLogin and create an
account with a non-zero UID which simply (logs the key used and
then) does the ol' "sudo bash" trick.
I'm not sure how I feel about using such tricks, but I can see
that they might have a place in some organizations.
>With root login enabled you are
>vulnerable to brute force attack.
Well, you can still brute force attack a password *and* a login,
but it's significantly more difficult. It also requires knowing
that you need to do so.
--kyler
- Next message: Nick: "Re: PuTTYgen just to convert OpenSSH into PuTTY-Format"
- Previous message: Neil W Rickert: "Re: PuTTYgen just to convert OpenSSH into PuTTY-Format"
- In reply to: classical music: "Re: PermitRootLogin=yes versus su"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
