lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: barrie at reboot-robot.net (Barrie Dempster)
Subject: Re: Re: Any update on SSH brute
	force	attempts?

On Tue, 2004-10-19 at 11:00 +0100, Ronny Adsetts wrote:
> How about where you have no local users except root - all other users are via 
> LDAP or similar - and some catastrophe takes out your user DB? Allowing root 
> ssh login will at least get you access to the box.
> 
> Allowing root ssh access but setting policy on its use seems a better option 
> to me. And running jack the ripper on your password hashes of course.
> 
> Ronny

Firstly, your DB would be backed up so you could restore the system,
however ignoring that, and lets assume that for some reason we can't
restore, which I admit is possible.

You can configure your machine to fallback onto local password files in
the absence of the the LDAP server, so I would keep a local user account
on the server for just such emergency scenarios.
This is in the situation where i can't get to the box locally, however I
always provision for local access either in person or via a third party
to any system I maintain, so I have never had to deal with this. Local
access is a must in order to retain reliable uptime in my opinion.

Multi-admin to me, means multi-access level, fine control and not giving
any one more access than they require. I can see your point, but the
technology provisions for it.

(excellent domain/company name BTW)

Regards,

-- 
Barrie Dempster (zeedo) - Fortiter et Strenue

  http://www.bsrf.org.uk

[ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20041019/7901ece4/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ