| gabriel rosenkoetter on Mon, 1 Jul 2002 05:20:10 +0200 |
|
On Sun, Jun 30, 2002 at 09:03:05PM -0400, christophe barbé wrote: > It seems no more a good reason with openssh and other secure links to > avoid to log as root. Precisely because of this, I agree with you. Passing a shared secrete across the wire, even across an encrypted wire, is and will always be a bad idea. With SSH-1, it's trivially easy for a mitm to significantly decrease his cryptographic search space for a brute force attack if he gets to hear the IVs (and he does), and it's also trivially easy to know which chunks of encrypted stream you want to brute force. (Two characters followed after a brief pause by eight to twelve will be plenty if you're watching a stistically significant number of hosts; granted, this wouldn't get me, as I su -m, but I just told you all that, and watching my habits--even encrypted--to learn from them wouldn't be hard.) Keeping PermitRootLogin set to "without-password" in sshd_config is a totally reasonable thing to do and, arguably, it provides a better audit trail, in combination with some kind of accounting system, than a sulog possibly good. (You don't really care what user became root, you want to know what IP address they came from and as what *real person*--based on the public key that granted them access--they are.) That said, acting ordinarily as root is still a bad idea. Actions should be taken as root ONLY when it is necessary to do so. You should presume when you're compiling, installing, and using software that someone WILL be trying to trick you into running something evil (through any of the completely simple LD_* tricks, which are much easier to deal with than trojaning any kind of binary). -- gabriel rosenkoetter gr@eclipsed.net Attachment:
pgpw3k6YNtUAM.pgp
|
|