RE: [cobalt-users] Disallowing remote root login

[flash22@xxxxxxx]

On Sun, 25 Mar 2001 rpaiz@xxxxxxxxxxxxxx wrote:

> gpasswd apparently only adds the user to the group. It also allows any

Well, first, i'd make sure the qube even suports group passwords as
shadowed, linux didn't used to do this, not certain when libc got this
added..

> Why? su still requires me to enter the root password. So now someone has
> to guess one of the other three passwords *and* the root password.

ok, before they had to be able to guess admin's password, then roots,
now they get a choice of 4 then roots...

So instead of only one user who can become root you have 4...

(I'm going to assume you aren't giving wheel any real privilages here
;)

> the question. However, it seems like I would only have to add the GUI
> user to the wheel group too, no?

ok, perhaps not, since root is also in the wheel group, it should be ok to
su to a user do drop privilage, so you may be ok...

> See above... su still requires entering root password.

yes, but my point is, admin is the only user login that can later become
root, so that's one password as seen from outside, adding wheel users
means there are now several user/passwords from outside that can get root,
so you have more possible accounts to get into the machine that are usable
to get root...

> > I'm not really certain what you are trying to do here...
> Trying to make it as hard as possible to crack the server in every
> possible way I can think of... :)

ok, dropping user exec for su is a nice start...but remember it's SUID not
SGID ;)

I'd still start simpler, like, can you log in to ssh from any ip? 
Is your root password strong?
Remember, su isn't the only way to become root, you can fool with login
too ;)

Do all the cron jobs drop root as soon as possible?
Did you install cobalt's recent backup patch?

gsh