From owner-freebsd-questions@FreeBSD.ORG  Fri Feb  4 06:01:14 2005
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 031A616A4CE
	for <freebsd-questions@freebsd.org>;
	Fri,  4 Feb 2005 06:01:14 +0000 (GMT)
Received: from aiolos.otenet.gr (aiolos.otenet.gr [195.170.0.23])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5284443D48
	for <freebsd-questions@freebsd.org>;
	Fri,  4 Feb 2005 06:01:12 +0000 (GMT)
	(envelope-from keramida@ceid.upatras.gr)
Received: from gothmog.gr (patr530-b169.otenet.gr [212.205.244.177])
	j14618QU002307;	Fri, 4 Feb 2005 08:01:08 +0200
Received: from gothmog.gr (gothmog [127.0.0.1])
	by gothmog.gr (8.13.1/8.13.1) with ESMTP id j14617NY051927;
	Fri, 4 Feb 2005 08:01:07 +0200 (EET)
	(envelope-from keramida@ceid.upatras.gr)
Received: (from giorgos@localhost)
	by gothmog.gr (8.13.1/8.13.1/Submit) id j14617k6051926;
	Fri, 4 Feb 2005 08:01:07 +0200 (EET)
	(envelope-from keramida@ceid.upatras.gr)
Date: Fri, 4 Feb 2005 08:01:07 +0200
From: Giorgos Keramidas <keramida@ceid.upatras.gr>
To: Gert Cuykens <gert.cuykens@gmail.com>
Message-ID: <20050204060106.GB51807@gothmog.gr>
References: <ef60af09050203143220daf9f9@mail.gmail.com>
	<4202B512.9080306@cis.strath.ac.uk>
	<ef60af09050203153670e8f27f@mail.gmail.com>
	<4202BC4E.4090809@cis.strath.ac.uk>
	<ef60af090502031604391fcbd6@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <ef60af090502031604391fcbd6@mail.gmail.com>
cc: freebsd-questions@freebsd.org
cc: Chris Hodgins <chodgins@cis.strath.ac.uk>
Subject: Re: ssh default security risc
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Feb 2005 06:01:14 -0000

On 2005-02-04 01:04, Gert Cuykens <gert.cuykens@gmail.com> wrote:
> On Fri, 04 Feb 2005 00:05:34 +0000, Chris Hodgins
> <chodgins@cis.strath.ac.uk> wrote:
> True but the point is without the ssh root enabled there is nothing
> you can do about it to stop them if they change your user password

What user password?  You are using SSH keys, as many have noted in
earlier posts of the thread, right? :P

Seriously now.  What gave you the crazy idea that having local access as
an unprivileged user means that automatically you are also root?  Effort
is *still* needed.  Effort that the average Joe Random Cracker is _NOT_
going to spend.

You may also want to consider than having SSH enabled for root means
there is only ONE step at becoming root from any remote location.

Having to SSH as a user first, with the right combination of SSH keys
and passwords, and then use su(1) with yet another password is at least
one more step.

Why is the first, 1-step procedure safer than the second?

- Giorgos