Date: Fri, 4 Feb 2005 08:01:07 +0200 From: Giorgos Keramidas <keramida@ceid.upatras.gr> To: Gert Cuykens <gert.cuykens@gmail.com> Cc: Chris Hodgins <chodgins@cis.strath.ac.uk> Subject: Re: ssh default security risc Message-ID: <20050204060106.GB51807@gothmog.gr> In-Reply-To: <ef60af090502031604391fcbd6@mail.gmail.com> References: <ef60af09050203143220daf9f9@mail.gmail.com> <4202B512.9080306@cis.strath.ac.uk> <ef60af09050203153670e8f27f@mail.gmail.com> <4202BC4E.4090809@cis.strath.ac.uk> <ef60af090502031604391fcbd6@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2005-02-04 01:04, Gert Cuykens <gert.cuykens@gmail.com> wrote: > On Fri, 04 Feb 2005 00:05:34 +0000, Chris Hodgins > <chodgins@cis.strath.ac.uk> wrote: > True but the point is without the ssh root enabled there is nothing > you can do about it to stop them if they change your user password What user password? You are using SSH keys, as many have noted in earlier posts of the thread, right? :P Seriously now. What gave you the crazy idea that having local access as an unprivileged user means that automatically you are also root? Effort is *still* needed. Effort that the average Joe Random Cracker is _NOT_ going to spend. You may also want to consider than having SSH enabled for root means there is only ONE step at becoming root from any remote location. Having to SSH as a user first, with the right combination of SSH keys and passwords, and then use su(1) with yet another password is at least one more step. Why is the first, 1-step procedure safer than the second? - Giorgos
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050204060106.GB51807>