Re: Is SSH worth it??

[David Corking <david.corking2 () dol net>]

On Mon, 14 Oct 2002, Johan De Meersman wrote:

> Chris Berry wrote:
>
> > > From: Johan De Meersman <johan () ops skynet be>
> > > I don't think it's ever a good idea to allow root ssh to any machine
> >
> >
> > Why not?  Also, how are you going to remote administer it without some 
> > sort of control SSH, VNC, etc?
>
> Because the first shell exploit or key theft will give root access 
> instead of low-user access. Remote control is achieved by ssh-ing as 
> low-user, and then su-ing to root, thereby doubling the work involved in 
> rooting the box. 

As I recall, my favorite security site 
www.securityportal.com (rip - someone else has the domain name now)
explained in easy terms that doubling the work is *not* the purpose of
Chris's standard precaution.  (A little thought shows the work is not
doubled, although the time for the break-in to take place may be
a little longer.)

My understanding:
The main benefit is that each log in can be traced to a unique
person (for some regulated industries this is a legal requirement) to
whom you have given a unique password.  If several admins share a
remote root password you may never figure out whether one of you
legitimately logged in remotely, or it was an attacker.  Also what do
you do if one of you writes down the password and leaves it in his
home office?  Reissue root password to everyone?

And when the worst happens there is a chance of more useful forensic
evidence left behind.

> You still need decent passphrases on both your keys and 
> your root account, of course. 

Absolutely.  The strongest defence is still the authentication of the
remote log in, imo.

> You can also allow root ssh from localhost 
> only, adding a tiny bit more security still by not su-ing but ssh-ing to 
> root.

Never thought of this -- good stuff.  Will using ssh-agent instead of
typing ssh passphrase into the remote server hinder attackers ??

-- 



David