| View previous topic :: View next topic |
| Author |
Message |
joefish
Guru
Joined: 27 Jan 2004
Posts: 316
Location: New Zealand
|
 Posted: Tue Mar 07, 2006 9:18 am Post subject: A question about SSH security policy |
 |
|
I've seen a lot of people talk about disabling remote login for the root user over SSH. Apparently I should instead have one non-root user who is allowed to su to root.
But isn't having more accounts than necessary also unwise from a security point of view? If I have a decent passphrase, I don't see how having to log in to a normal user account first is going to stop anybody who seriously wants to get in. (In fact, couldn't doing things this way be worse? Eg, if some sort of privilege escalation flaw is found in some piece of software I'm running).
Anyway, I'm sure there's a good reason - I'd just like to know what it is 
Thanks. |
|
| Back to top |
|
 |
erikm
l33t
Joined: 08 Feb 2005
Posts: 634
|
| Posted: Tue Mar 07, 2006 9:35 am Post subject: Re: A question about SSH security policy |
|
|
| joefish wrote: | I've seen a lot of people talk about disabling remote login for the root user over SSH. Apparently I should instead have one non-root user who is allowed to su to root.
But isn't having more accounts than necessary also unwise from a security point of view? If I have a decent passphrase, I don't see how having to log in to a normal user account first is going to stop anybody who seriously wants to get in. (In fact, couldn't doing things this way be worse? Eg, if some sort of privilege escalation flaw is found in some piece of software I'm running).
Anyway, I'm sure there's a good reason - I'd just like to know what it is
Thanks. |
The simple fact that anyone trying to break in will first have to guess the username of your privileged user, which in a flash filters out the vast majority of script kiddie attacks, whereas if you allow root they can go directly to trying to brute force the password, is reason enough for me.
But then, there is no such thing as foolproof security; if the world's greatest hackers decided your box is a prime target, they could probably hack su too. |
|
| Back to top |
|
|
PaulBredbury
Watchman
Joined: 14 Jul 2005
Posts: 7310
|
| Posted: Tue Mar 07, 2006 11:06 am Post subject: Re: A question about SSH security policy |
|
|
| joefish wrote: | | But isn't having more accounts than necessary also unwise from a security point of view? |
It's only one account. I have about 50 users in my /etc/passwd already, set up by Gentoo for services.
| Quote: | | Eg, if some sort of privilege escalation flaw is found in some piece of software I'm running |
Subscribe to the security and weekly mailing list. |
|
| Back to top |
|
|
gentoobobby
Apprentice
Joined: 17 Jan 2006
Posts: 293
|
| Posted: Tue Mar 07, 2006 12:51 pm Post subject: |
|
|
| Are u stuck disabling the root account ? |
|
| Back to top |
|
|
Carlo
Developer
Joined: 12 Aug 2002
Posts: 3356
|
| Posted: Tue Mar 07, 2006 5:02 pm Post subject: Re: A question about SSH security policy |
|
|
| joefish wrote: | I've seen a lot of people talk about disabling remote login for the root user over SSH. Apparently I should instead have one non-root user who is allowed to su to root.
But isn't having more accounts than necessary also unwise from a security point of view? |
You always have at least one user allowed to su root, since it would be entirely stupid to work as root locally all the time. The argument not to have more accounts than necessary is void compared to direct remote root access is anyways.
_________________
Please make sure that you have searched for an answer to a question after reading all the relevant docs. |
|
| Back to top |
|
|
Jfr0
n00b
Joined: 19 Dec 2005
Posts: 72
|
| Posted: Tue Mar 07, 2006 6:35 pm Post subject: |
|
|
You are just hoping to make it more difficult to get root.
Assuming everyhing works correctly they first have to guess your user name then your user password, then your root password. If you allow remote root access then they only need to guess/bruteforce 1 password. |
|
| Back to top |
|
|
|
Networking & Security
