Re: Re: Re: Any update on SSH brute force attempts?

[Barrie Dempster <barrie () reboot-robot net>]

On Tue, 2004-10-19 at 11:00 +0100, Ronny Adsetts wrote:
> How about where you have no local users except root - all other users are via 
> LDAP or similar - and some catastrophe takes out your user DB? Allowing root 
> ssh login will at least get you access to the box.
>
> Allowing root ssh access but setting policy on its use seems a better option 
> to me. And running jack the ripper on your password hashes of course.
>
> Ronny

Firstly, your DB would be backed up so you could restore the system,
however ignoring that, and lets assume that for some reason we can't
restore, which I admit is possible.

You can configure your machine to fallback onto local password files in
the absence of the the LDAP server, so I would keep a local user account
on the server for just such emergency scenarios.
This is in the situation where i can't get to the box locally, however I
always provision for local access either in person or via a third party
to any system I maintain, so I have never had to deal with this. Local
access is a must in order to retain reliable uptime in my opinion.

Multi-admin to me, means multi-access level, fine control and not giving
any one more access than they require. I can see your point, but the
technology provisions for it.

(excellent domain/company name BTW)

Regards,

-- 
Barrie Dempster (zeedo) - Fortiter et Strenue

  http://www.bsrf.org.uk

[ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]

Attachment: signature.asc
Description: This is a digitally signed message part