Date: Fri, 2 Nov 2001 21:02:44 -0600 From: Mike Meyer <mwm@mired.org> To: swear@blarg.net (Gary W. Swearingen) Cc: questions@freebsd.org Subject: Re: Lockdown of FreeBSD machine directly on Net Message-ID: <15331.24148.395880.525157@guru.mired.org> In-Reply-To: <12496263@toto.iv>
next in thread | previous in thread | raw e-mail | index | archive | help
Gary W. Swearingen <swear@blarg.net> types: > Ben Eisenbraun <bene@klatsch.org> writes: > > > change that to yes, HUP sshd, and it will allow root to login directly > > via ssh. > > > > NOT RECOMMENDED. > > I'd like to why. I'd think that if you can't trust ssh you might > as well give up. I'd think the tiny reduction in risk (if any) would > not be worth even the few extra seconds it takes to do the "su" and > password entry. > > IF we assume ssh is secure, isn't it as safe to login as root via ssh as > at the system console? > > Or do people recommend that that not be allowed either? Yup. Someone logging in as root - no matter where - is completely anonymous. Su leaves an audit trail. If you're the only one who has the root password and in group wheel, then it doesn't matter much. If there's a group of such people, then the audit trail is important. <mike -- Mike Meyer <mwm@mired.org> http://www.mired.org/home/mwm/ Q: How do you make the gods laugh? A: Tell them your plans. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?15331.24148.395880.525157>