lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 02 Feb 2007 04:56:46 -0500
From: Valdis.Kletnieks@...edu
To: raju@...ux-delhi.org
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: (Psexec on *NIX)

On Fri, 02 Feb 2007 13:40:47 +0530, Raj Mathur said:
> I believe we have had this discussion before, but I'll iterate my
> beliefs in favour of allowing direct root access again:

> - Key-based root logins are quite secure.  I don't see any reason why
> key-based root login would be any less secure than permitting a user
> login followed by an sudo.

It's not the security of the login itself - it's the ability to create
an audit trail of which userid performed an action.  If you can find
some other way to...

> - With a little bit of configuration, it's easy to figure out which
> key was used to login to an account; the audit trail can be managed
> that way.

... like the above, then most of the issues can be worked around.

The *problem* with "direct login to root" is that it's the very rare site
that actually manages to implement it with proper audit trails.

It's a variant on the old "If you have to ask how much, you can't afford it",
just in this case "If you have to ask why they're bad, you're not qualified
to do it right".

(Also - note that if you consider the set of computers in the same
administrative domain as a whole, your system is *STILL* "login as another
user, then as root" - just that the first login is happening on another system.
You're not doing a direct login to root when viewed from the context of the
administrative domain as a whole.)


Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ