Date: Fri, 5 Oct 2001 13:31:14 -0600 From: Nate Williams <nate@yogotech.com> To: Brandon Fosdick <bfoz@glue.umd.edu> Cc: stable@FreeBSD.ORG Subject: Re: Why sshd:PermitRootLogin = no ? Message-ID: <15294.2690.655297.627687@nomad.yogotech.com> In-Reply-To: <3BBDF0E9.20BA0F56@glue.umd.edu> References: <19436.1002297239@axl.seasidesoftware.co.za> <20011005120139.D10847@pir.net> <3BBDF0E9.20BA0F56@glue.umd.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
> > > Why is sshd's PermitRootLogin set to 'no' in the default installation of > > > FreeBSD? > > > > Because it's sensible. > > Given the semi-recent articles on determining passwords from sniffed > ssh packets which is least secure? You can't determine the passwords unless you know alot about the traffic patterns of the user. ie; you have to know the user is typing 'su', waits a bit, and then types the password. This may be hard to distinguish from a user typing 'ls', and then doing 'more bigDoc'. In most cases (especially remote logins), the attacker won't know enough about the patterns of the typing to know exactly what's going. This is alot of information for a hacker to know, and allowing someone even the slightest possibily of guessing the root password is much greater. At least with the first setup (ssh into a valid login first, and the su), the bad-guy would have to crack *two* accounts in order to get root. The first account to get a login, and the second account to get the root password. If attacking the first account is easy to do, then they can apply the same techniques to get the 'root' password the same way. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15294.2690.655297.627687>