From owner-freebsd-stable  Fri Oct  5  9:44:52 2001
Delivered-To: freebsd-stable@freebsd.org
Received: from kottan-labs.bgsu.edu (kottan-labs.bgsu.edu [129.1.148.220])
	by hub.freebsd.org (Postfix) with ESMTP id 5E6DF37B405
	for <stable@FreeBSD.ORG>; Fri,  5 Oct 2001 09:44:47 -0700 (PDT)
Received: (qmail 67691 invoked from network); 5 Oct 2001 12:46:26 -0400
Received: from raoul.bgsu.edu (HELO gmx.net) (129.1.148.16)
  by kottan-labs.bgsu.edu with RC4-MD5 encrypted SMTP; 5 Oct 2001 12:46:26 -0400
Message-ID: <3BBDE444.3815EBB1@gmx.net>
Date: Fri, 05 Oct 2001 12:48:04 -0400
From: Raoul Schroeder <memphis_ms@gmx.net>
X-Mailer: Mozilla 4.74 [en] (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Kutulu <kutulu@kutulu.org>
Cc: Sheldon Hearn <sheldonh@starjuice.net>, stable@FreeBSD.ORG
Subject: Re: Why sshd:PermitRootLogin = no ?
References: <5.1.0.14.0.20011005120304.009f8590@127.0.0.1>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-stable.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-stable>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-stable>
X-Loop: FreeBSD.ORG

In my opinion the way to go is:

Member of wheel (not root) with star-ed out password.
Login with SSH and RSA (password protected)
Then you can SU to install (which is really the biggest weakness, because
once more the cleartext password goes over the wire... Encrypted, but still)

The most important reason is that a SSH login from root is NOT logged,
however an SU is... So, it is easier to see if security has been compromised.

Just my $0.02

Raoul


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message