Full Disclosure mailing list archives

Re: [Full-Disclosure] (Psexec on *NIX)

From: Raj Mathur <raju () linux-delhi org>
Date: Fri, 2 Feb 2007 13:40:47 +0530

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Friday 02 February 2007 12:08, Valdis.Kletnieks () vt edu wrote:

On Fri, 02 Feb 2007 13:25:11 +0800, Eduardo Tongson said:

On 2/2/07, Xavier Beaudouin <kiwi () oav net> wrote:
<>

Allowing direct root login even with SSH is IMHO stupid...


Please elaborate why is it IYHO stupid.


In environments where more than 1 person has root access, allowing
direct login to root means you can't keep an audit trail of which
person logged in.

And if your environment only one person has root access, that's
just looking for a DoS if the one person is hit by a bus.....


I believe we have had this discussion before, but I'll iterate my 
beliefs in favour of allowing direct root access again:

- - Key-based root logins are quite secure.  I don't see any reason why 
key-based root login would be any less secure than permitting a user 
login followed by an sudo.

- - Password management is a bitch.  I don't remember passwords for 
about half the accounts I have.  Using a key-based root login, I 
don't need to remember those passwords either.  If you take the sudo 
route, every user has to remember each password for each account, 
unless you take the deprecated route of reusing passwords (or 
*horrors* allow sudo without password).

- - With a little bit of configuration, it's easy to figure out which 
key was used to login to an account; the audit trail can be managed 
that way.

- - Managing which users have access to which root accounts is trivial 
this way: just add or delete their keys from .ssh/authorized_keys[2].

Of course, ideally you could use a combination of user-based and 
key-based logins: allow users to login any which way they want, then 
only allow key-based root ssh from localhost.  Hmm, that's an idea 
worth exploring...

Regards,

- -- Raju
- -- 
Raj Mathur            raju () kandalaya org   http://kandalaya.org/
       GPG: 78D4 FC67 367F 40E2 0DD5  0FEF C968 D0EF CC68 D17F
                      It is the mind that moves
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFwvINyWjQ78xo0X8RAs9tAJ9fc7PXCY/ITlhWZdx0Pang0/mWMgCfcOkg
eSmt2EEur8Jr3W9rodZEhn4=
=DSri
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

[Full-Disclosure] (Psexec on *NIX) Gianluca Giacometti (Feb 01)
- Re: [Full-Disclosure] (Psexec on *NIX) Knud Erik Højgaard (Feb 01)
  - Re: [Full-Disclosure] (Psexec on *NIX) Paul Schmehl (Feb 01)
    - Re: [Full-Disclosure] (Psexec on *NIX) Xavier Beaudouin (Feb 01)
    - Re: [Full-Disclosure] (Psexec on *NIX) Eduardo Tongson (Feb 01)
    - Re: [Full-Disclosure] (Psexec on *NIX) Valdis . Kletnieks (Feb 01)
    - Re: [Full-Disclosure] (Psexec on *NIX) Raj Mathur (Feb 02)
    - Re: [Full-Disclosure] (Psexec on *NIX) Valdis . Kletnieks (Feb 02)
    - Re: [Full-Disclosure] (Psexec on *NIX) Q-Ball (Feb 04)
    - Re: [Full-Disclosure] (Psexec on *NIX) James Matthews (Feb 04)
    - Re: [Full-Disclosure] (Psexec on *NIX) Tyop? (Feb 02)
    - Re: [Full-Disclosure] (Psexec on *NIX) chedder1 (Feb 02)
    - Re: [Full-Disclosure] (Psexec on *NIX) Tyop? (Feb 02)
    - Re: [Full-Disclosure] (Psexec on *NIX) Knud Erik Højgaard (Feb 03)
    - Re: [Full-Disclosure] (Psexec on *NIX) Stan Bubrouski (Feb 02)
    - Re: [Full-Disclosure] (Psexec on *NIX) Q-Ball (Feb 04)
    - Re: [Full-Disclosure] (Psexec on *NIX) Marcello Barnaba (Feb 05)

(Thread continues...)