Re: [Full-Disclosure] (Psexec on *NIX)

On Fri, 02 Feb 2007 13:40:47 +0530, Raj Mathur said:
> I believe we have had this discussion before, but I'll iterate my
> beliefs in favour of allowing direct root access again:

> - Key-based root logins are quite secure. I don't see any reason why
> key-based root login would be any less secure than permitting a user
> login followed by an sudo.

It's not the security of the login itself - it's the ability to create
an audit trail of which userid performed an action. If you can find
some other way to...

> - With a little bit of configuration, it's easy to figure out which
> key was used to login to an account; the audit trail can be managed
> that way.

... like the above, then most of the issues can be worked around.

The *problem* with "direct login to root" is that it's the very rare site
that actually manages to implement it with proper audit trails.

It's a variant on the old "If you have to ask how much, you can't afford it",
just in this case "If you have to ask why they're bad, you're not qualified
to do it right".

(Also - note that if you consider the set of computers in the same
administrative domain as a whole, your system is *STILL* "login as another
user, then as root" - just that the first login is happening on another system.
You're not doing a direct login to root when viewed from the context of the
administrative domain as a whole.)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/