[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SSH - secure by default?

One good reason for not allowing root logins through any means is that if
you force people to use su then you get an audit trail of who accessed root.
By other means all you get is an IP address. Now if you get a clever hacker
this will simply give you the additional information that he cracked a wheel
group user before executing SU. Still, I'd take my chances with "not
allowing root logons".

This is a decision to be made by a security policy and not the install of an
operating system. It might cause some problems with people who do remote
installation of OpenBSD and need to reboot the machine and logon as root
before creating users. OpenSSH allows a very easy mechanism to disable root
logons anyways(uncomment 1 line of conf file).

Just my 2 cents worth.

Patrick Ethier

-----Original Message-----
From: Jeff Bachtel [mailto:sebastion_(_at_)_irelandmail_(_dot_)_com]
Sent: Thursday, February 24, 2000 11:37 AM
To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: SSH - secure by default?

There are only 2 reasons to not allow root logins through telnet

1) sniffability
   does NOT apply to ssh

2) bad root passwords (depends on physical security of machine)
   stupid bad and dumb anyway. If you have a bad root password, you
are owned, and that is that

so, permitting root logins through ssh is not a decrease in security

[this lays aside theoretical means to crack snooped ssh password
authentication schemes]


On Thu, Feb 24, 2000 at 10:54:52PM +0900, SUZUKI Hitoshi wrote:
> On Thu, Feb 24, 2000 at 06:08:26AM -0700, Theo de Raadt wrote:
> > I actually think it is rare for direct security improvements (ssh vs
> > telnet/rlogin) to affect useability, but this is one of those cases,
> > and useability does not compromise security mechanism or sane policy
> > in this case.
> With, default setting of sshd (/etc/sshd_config of OpenBSD's)
> PasswordAuthentication
> PermitEmptyPasswords
> PermitRootLogin
> are all yes. So, default sshd's setting is much like
> telnetd with '... network secure' on /etc/ttys.
> So default setting of sshd is not as good as telnetd's. X-<
> -- 
> sigh_(_at_)_net_(_dot_)_nagasaki-u_(_dot_)_ac_(_dot_)_jp
> sigh_(_at_)_kuzirabekon_(_dot_)_econ_(_dot_)_nagasaki-u_(_dot_)_ac_(_dot_)_jp
> Faculty of Economics, Nagasaki Univ.