lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: ronny.adsetts at amazinginternet.com (Ronny Adsetts)
Subject: Re: Re: Any update on SSH brute	force	attempts?

Barrie Dempster said at 19/10/2004 11:47:
> Firstly, your DB would be backed up so you could restore the system,
> however ignoring that, and lets assume that for some reason we can't
> restore, which I admit is possible.

Yeah, the DB would be backed up. That's slightly different to getting remote 
access when the user DB is unavailable for whatever reason.

> You can configure your machine to fallback onto local password files in
> the absence of the the LDAP server, so I would keep a local user account
> on the server for just such emergency scenarios.

Exactly. Fall back to the local passwd is exactly what I was saying. Using the 
root user in this case rather than a separate local user just means one less 
thing to maintain - you always have a local root anyway.

Setting up the box with a long enough random password. Big letters "In case of 
Emergency only".

Or, like many have suggested, allow root access with keys only.

> This is in the situation where i can't get to the box locally, however I
> always provision for local access either in person or via a third party
> to any system I maintain, so I have never had to deal with this. Local
> access is a must in order to retain reliable uptime in my opinion.

Local tty access may be a 3 hour drive to the datacenter. Hands on help from 
many datacenters gives you reboots only (depending who's shift it is).

> Multi-admin to me, means multi-access level, fine control and not giving
> any one more access than they require. I can see your point, but the
> technology provisions for it.

Of course, many layers, minimal access.

<shrug> It's a preference thing really. I don't see that allowing remote root 
ssh access gives much away provided the password owners and the password are 
trusted.

> (excellent domain/company name BTW)

Thanks. We spent ages trying to come up with something snappy, etc., and I 
think we'd just seen one to many things on the 'net that brought about the 
reaction of "That's amazing!". Like the guy with the computer comtrolled 
christmas lights that you can control from his website...  and the Big Red 
Button. Heh.

Ronny
-- 
Technical Director
Amazing Internet Ltd, London
t: +44 20 8607 9535
f: +44 20 8607 9536
w: www.amazinginternet.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ