From owner-freebsd-questions@FreeBSD.ORG Fri Feb 4 00:04:36 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C33916A4CE for ; Fri, 4 Feb 2005 00:04:36 +0000 (GMT) Received: from rproxy.gmail.com (rproxy.gmail.com [64.233.170.192]) by mx1.FreeBSD.org (Postfix) with ESMTP id A31E043D49 for ; Fri, 4 Feb 2005 00:04:35 +0000 (GMT) (envelope-from gert.cuykens@gmail.com) Received: by rproxy.gmail.com with SMTP id f1so309635rne for ; Thu, 03 Feb 2005 16:04:35 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=XZ2L059W6veG2uI+FkyGpmUSoLCtQy5NA0TxK3+FRNzqmZWrEJv6Z/nOluj7T67dyDPNJDt7LPA6A80mbhK4ikvFrVGAwpvAPH7ZQ9GM1nwmvpyeoAoZaRytBcZysSlRVi11V1ty1zIGJCv4/3mKEt6NiIw6LISRxqKQBdLd3cA= Received: by 10.38.207.15 with SMTP id e15mr58211rng; Thu, 03 Feb 2005 16:04:34 -0800 (PST) Received: by 10.38.74.23 with HTTP; Thu, 3 Feb 2005 16:04:34 -0800 (PST) Message-ID: Date: Fri, 4 Feb 2005 01:04:34 +0100 From: Gert Cuykens To: Chris Hodgins In-Reply-To: <4202BC4E.4090809@cis.strath.ac.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <4202B512.9080306@cis.strath.ac.uk> <4202BC4E.4090809@cis.strath.ac.uk> cc: freebsd-questions@freebsd.org Subject: Re: ssh default security risc X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Gert Cuykens List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Feb 2005 00:04:36 -0000 On Fri, 04 Feb 2005 00:05:34 +0000, Chris Hodgins wrote: > Gert Cuykens wrote: > > On Thu, 03 Feb 2005 23:34:42 +0000, Chris Hodgins > > wrote: > > > >>Gert Cuykens wrote: > >> > >>>By default the root ssh is disabled. If a dedicated server x somewhere > >>>far far away doesn't have root ssh enabled the admin is pretty much > >>>screwed if they hack his user account and change the user password > >>>right ? > >>> > >>>So is it not better to enable it by default ? > >>>_______________________________________________ > >>>freebsd-questions@freebsd.org mailing list > >>>http://lists.freebsd.org/mailman/listinfo/freebsd-questions > >>>To unsubscribe, send any mail to "freebsd-questions-unsubscribe@freebsd.org" > >>> > >> > >>Every unix box has a root account. Not every unix box has a jblogs > >>account. Lets take the example of a brute-force attempt. The first > >>thing I would do would be to attack roots password. I know the account > >>exists. Might as well go for the big prize first. > >> > >>So having a root account enabled is definetly a bad thing. > >> > >>Chris > >> > > > > > > Do you agree a user acount is most of the time more vonerable then the > > root account ? > > Assuming you know the username then maybe. It depends on the strength > of the users password. If they are only using private keys with > passphrases then you probably won't be getting access that way with any > account. > > > > > If they can hack the root they can defenatly hack a user account too. > > So i dont see any meaning of disabeling it. > > If they can hack root they own the system and can do what they like. By > disabling root you remove the option of this happening. Instead they > have to try and compromise a user account. Once they compromise the > user account, they then have to gain root access (assuming that is their > goal). Why bother with the hassle. There are plenty of machines out > there already with weak root passwords. If a hacker really wants into > your system he will find a way. > > Chris True but the point is without the ssh root enabled there is nothing you can do about it to stop them if they change your user password