Re: [PLUG] log as root or not ?

[Jesse P Schultz <schultj@netaxs.com>]

gabriel rosenkoetter wrote:
> On Mon, Jul 01, 2002 at 10:25:19AM -0400, Jesse P Schultz wrote:
>
> > I have been reading from the beginning and i am aware that the issue has 
> > to do with whether the root password is going in the clear.
>
>
> There has been a repeated misuse of the term "in the clear". Several
> people have used it to refer to sending a password, either for
> authentication or in response to su(1)'s password prompt, over an
> encrypted channel. This is, obviously, incorrect usage. Sending the
> root password in the clear was never intended to be suggested by
> either Christophe or myself.


When I use the term in the clear I mean unencrypted.  SSH is not in the
clear.  Telnet is in the clear. Unless of course you are telneting through
something like an ipsec VPN.

> > It does not matter whether you initially log in as root or su, if it's 
> > encrypted  (SSH) it's encrypted, if it's not (Telnet) it's not, and 
> > using su only makes it difficult for a hacker who is not trying very 
> > hard.  MITM is , of course a possibility on an encrypted connection and 
> > digital certificates will help with that.
> >
> > My argument however, is that the issue is moot simply because you are 
> > trying to find a safest way to engage in a bad practice.  Logging
> > in as root is a bad practice no matter how secure the connection is.
>
>
> No, it's not. Actions that must be taken as root must be taken as
> root, and remote system maintenance happens in the real world.

Bad practice not for security from a hacker but from security from 
yourself.  If you log in as root it is easy to forget you are root and 
not use the care you should.

> The reason that logging in to the root account using PKI is more
> secure than logging into your regular account (however) and then
> using su(1) (or sudo, for that matter, which should be considered a
> usage convenience and NEVER a security measure) is that the no
> shared secret is ever sent across the wire. This makes a mitm attack
> totally impossible, provided there's not feasible attack on the PKI
> protocol in use.

I never said su was a security measure, but I think of it as more of a 
precaution (against my own stupidity) than a conveniance. Kind of like, 
okay now, I am becoming root, I need to be careful.

This is not a real beg deal on My own systems, but if I am working on 
someone elses server and they have a vital business reason not to want 
down time on a web/email/ftp/whatever system I always go to root with 
great trepidation.  The act of doing an su helps makes it a solemn act.

> In the real world, there certainly exist plausible attacks against
> either DSA or RSA SSH-2 authentication, but these attacks take a
> significantly longer time to brute force than user passwords.

Agreed, public key cryptography is much more secure than passwords.


> > Is there an actual need to use what is normally considered bad practice?
>
>
> What portion of this is normally considered bad practice? Remote
> administration? It has liabilities, but it's a cost-benefit
> tradeoff. The computer's only actually secure if it's unplugged and
> locked in a safe. But it's not doing you much good there.

I hope not.  Most of my administration is done remotely.
Much much better than a long turnpike drive!

One should only use root when doing root stuff.  Making a habit of 
logging in as a regular user then changing to rot is a venerable best 
practice for admins





______________________________________________________________________
Philadelphia Linux Users Group       -      http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion  -  http://lists.phillylinux.org/mail/listinfo/plug