gabriel rosenkoetter on Mon, 1 Jul 2002 11:34:20 -0400


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] log as root or not ?


On Mon, Jul 01, 2002 at 10:25:19AM -0400, Jesse P Schultz wrote:
> I have been reading from the beginning and i am aware that the issue has 
> to do with whether the root password is going in the clear.

There has been a repeated misuse of the term "in the clear". Several
people have used it to refer to sending a password, either for
authentication or in response to su(1)'s password prompt, over an
encrypted channel. This is, obviously, incorrect usage. Sending the
root password in the clear was never intended to be suggested by
either Christophe or myself.

> It does not matter whether you initially log in as root or su, if it's 
> encrypted  (SSH) it's encrypted, if it's not (Telnet) it's not, and 
> using su only makes it difficult for a hacker who is not trying very 
> hard.  MITM is , of course a possibility on an encrypted connection and 
> digital certificates will help with that.
> 
> My argument however, is that the issue is moot simply because you are 
> trying to find a safest way to engage in a bad practice.  Logging
> in as root is a bad practice no matter how secure the connection is.

No, it's not. Actions that must be taken as root must be taken as
root, and remote system maintenance happens in the real world.

The reason that logging in to the root account using PKI is more
secure than logging into your regular account (however) and then
using su(1) (or sudo, for that matter, which should be considered a
usage convenience and NEVER a security measure) is that the no
shared secret is ever sent across the wire. This makes a mitm attack
totally impossible, provided there's not feasible attack on the PKI
protocol in use.

In the real world, there certainly exist plausible attacks against
either DSA or RSA SSH-2 authentication, but these attacks take a
significantly longer time to brute force than user passwords.

> Is there an actual need to use what is normally considered bad practice?

What portion of this is normally considered bad practice? Remote
administration? It has liabilities, but it's a cost-benefit
tradeoff. The computer's only actually secure if it's unplugged and
locked in a safe. But it's not doing you much good there.

-- 
gabriel rosenkoetter
gr@eclipsed.net

Attachment: pgpeqLxbQnFtF.pgp
Description: PGP signature