Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Re: Any update on SSH brute force attempts?
From: Raj Mathur <raju () linux-delhi org>
Date: Mon, 18 Oct 2004 20:43:39 +0530

Hash: SHA1

"Barrie" == Barrie Dempster <barrie () reboot-robot net> writes:

    Barrie> On Mon, 2004-10-18 at 06:41 -0500, Ron DuFresne wrote:
    >> Why not just disallow root logins directly, and force someone
    >> with a valid user account to su after getting a shell?  It was
    >> my impression that was more standard, and if one has to allow
    >> remote root directly, at least restrict it to specific systems
    >> and users.  All the places I have worked for forced the su
    >> after shell to root..

    Barrie> I'm in agreement with this, as well as combining this with
    Barrie> use of sudo for common functions requiring root privs
    Barrie> (such as using tools requiring raw socks support for
    Barrie> instance) meaning you rarely have to become root and the
    Barrie> root account becomes slightly more difficult to
    Barrie> compromise.

Using su forces the use of passwords, which are difficult to manage in
a multi-admin scenario.  For instance, you may have to give the root
password to 3 different people (1 in each 8-hour shift).  What happens
when one of these people leaves the organisation?  You change the root
password and intimate the remaining two, as well as the replacement,
of the new root password.

Multiply this by 100 or 1000 machines and it becomes hell.

Use key-based login instead, then all you need to do is add/delete
keys to authorized_keys when people join/leave the group of
administrators.  Heck, you can even use cfengine or equivalent with
appropriate classes to automate the whole procedure -- define admin
groups on the central server and roll out public keys to all systems

Next, how do you manage passwords?  The options are different password
for each system (which means pieces of paper in wallets with the
passwords scribbled on them) or use the same password for multiple
machines (security nightmare).  Keys are so much simpler -- just
remember the pass phrase of your own key and you're through.


- -- Raju
- -- 
Raj Mathur                raju () kandalaya org      http://kandalaya.org/
       GPG: 78D4 FC67 367F 40E2 0DD5  0FEF C968 D0EF CC68 D17F
                      It is the mind that moves
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]