[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] URGENT: Cannot su - while being admin

Subject: RE: [cobalt-users] URGENT: Cannot su - while being admin
From: Graeme Fowler <graeme.fowler@xxxxxxxxxxxxxx>
Date: Thu Jan 17 05:35:59 2002
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

<sigh...>

Jeff Lasman wrote:
> Sorry, but this is nothing more or less than FUD.

...and 'gsh' wrote:
> I'm going to respectfully disagree on this one

...and Gerald Waugh wrote:
> You should never log into a system as root.

Guys, guys. We all do things in different ways. That's what makes us all use
acronyms like YMMV from time to time, after all, and makes the world a more
interesting place.

Think of it from a different perspective:

Image a large organisation where a small but significant number of users
have root access to a large number of servers, for different reasons. Do
you:

1. Allow them to SSH in, as root, by entering a password?
2. Allow them to SSH in, as root, by using RSA or DSA keys?
3. Not allow them to SSH in as root at all, in fact make them login using
their own account and then su to root?

Each has advantages and disadvantages. In no particular order, they include:
speed
consistency
auditing

Let's face it, if a number of staff work from the same shell box, and all
appear to be logging in from one IP address as root using passwords, and
someone drops a howler - it's almost impossible to audit the problem.

If you use ordinary user accounts and SU, then you have a trail of who
logged in and when, and who SU'd and when. Very handy indeed.

If you use DSA or RSA keys then you reduce the number of people who actually
*know* the root password, thus reducing the chances of malicious activity.
Also it's worth noting that this way you can exert more control over who
logs in - revoke their key, and that's it. No login.

It ain't worth starting a religious war over this. Different places,
different rules.

But to comment on the encryption: if someone has a sniffer on your wire and
captures enough raw login sessions using passwords, it makes cracking SSH
just so much easier. Also if dugsong's site is still up, I'll refer you to
sshmitm. If it ain't you'll have to dig for it. Nuff said.

Graeme
-- 
Graeme Fowler
System Administrator
Host Europe Group PLC

> -----Original Message-----
> From: Gerald Waugh [mailto:gerald@xxxxxxxxx]
> Sent: 17 January 2002 12:36
> To: cobalt-users@xxxxxxxxxxxxxxx
> Subject: Re: [cobalt-users] URGENT: Cannot su - while being admin
> 
> 
> On Thu, 17 Jan 2002, flash22@xxxxxxx wrote:
> > On Wed, 16 Jan 2002, Jeff Lasman wrote:
> > > 
> > > Sorry, but this is nothing more or less than FUD.
> > > 
> > > There's NO reason not to ssh as root.  In fact, by 
> default, ssh allows
> > > log-in by root.  If you don't believe it, just try it.
> > Not on all platforms it doesn't...
> > 
> > I'm going to respectfully disagree on this one, and point 
> out a few other
> > people who seem to have the same opinion...
> > 
> <snip>
> 
> I have to go with gsh on this one!
> You should never log into a system as root. (even for a 
> console session)
> Too easy to f***up.
> when you have to su to root do your business and exit back to a user.
> 
> --
> Gerald Waugh
> Registered Linux User 255245
> register at http://counter.li.or
> 
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
>

Prev by Date: Re: [cobalt-users] Shutting down IMAP
Next by Date: [cobalt-users] Disabling IMAP
Previous by thread: RE: Re[2]: [cobalt-users] URGENT: Cannot su - while being admin
Next by thread: Re: [cobalt-users] URGENT: Cannot su - while being admin

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index