From owner-freebsd-stable Fri Oct 5 12:31:20 2001 Delivered-To: freebsd-stable@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id AF1AC37B403 for ; Fri, 5 Oct 2001 12:31:16 -0700 (PDT) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id NAA10086; Fri, 5 Oct 2001 13:31:15 -0600 (MDT) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id NAA10858; Fri, 5 Oct 2001 13:31:15 -0600 (MDT) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15294.2690.655297.627687@nomad.yogotech.com> Date: Fri, 5 Oct 2001 13:31:14 -0600 To: Brandon Fosdick Cc: stable@FreeBSD.ORG Subject: Re: Why sshd:PermitRootLogin = no ? In-Reply-To: <3BBDF0E9.20BA0F56@glue.umd.edu> References: <19436.1002297239@axl.seasidesoftware.co.za> <20011005120139.D10847@pir.net> <3BBDF0E9.20BA0F56@glue.umd.edu> X-Mailer: VM 6.95 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG > > > Why is sshd's PermitRootLogin set to 'no' in the default installation of > > > FreeBSD? > > > > Because it's sensible. > > Given the semi-recent articles on determining passwords from sniffed > ssh packets which is least secure? You can't determine the passwords unless you know alot about the traffic patterns of the user. ie; you have to know the user is typing 'su', waits a bit, and then types the password. This may be hard to distinguish from a user typing 'ls', and then doing 'more bigDoc'. In most cases (especially remote logins), the attacker won't know enough about the patterns of the typing to know exactly what's going. This is alot of information for a hacker to know, and allowing someone even the slightest possibily of guessing the root password is much greater. At least with the first setup (ssh into a valid login first, and the su), the bad-guy would have to crack *two* accounts in order to get root. The first account to get a login, and the second account to get the root password. If attacking the first account is easy to do, then they can apply the same techniques to get the 'root' password the same way. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message