lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 2 Feb 2007 16:51:36 +0100
From: "Tyop?" <tyoptyop@...il.com>
To: raju@...ux-delhi.org, full-disclosure@...ts.grok.org.uk
Subject: Re: (Psexec on *NIX)

On 2/2/07, Raj Mathur <raju@...ux-delhi.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On Friday 02 February 2007 12:08, Valdis.Kletnieks@...edu wrote:
> > On Fri, 02 Feb 2007 13:25:11 +0800, Eduardo Tongson said:
> > > On 2/2/07, Xavier Beaudouin <kiwi@....net> wrote:
> > > <>
> > > > Allowing direct root login even with SSH is IMHO stupid...
> > > Please elaborate why is it IYHO stupid.
> > In environments where more than 1 person has root access, allowing
> > direct login to root means you can't keep an audit trail of which
> > person logged in.
> >
> > And if your environment only one person has root access, that's
> > just looking for a DoS if the one person is hit by a bus.....
>
> I believe we have had this discussion before, but I'll iterate my
> beliefs in favour of allowing direct root access again:
>
> - - Password management is a bitch.  I don't remember passwords for
> about half the accounts I have.  Using a key-based root login, I
> don't need to remember those passwords either.  If you take the sudo
> route, every user has to remember each password for each account,
> unless you take the deprecated route of reusing passwords (or
> *horrors* allow sudo without password).

key-based login without passphrase is like eating cheese without
bred. useless (IMHO).

> - - With a little bit of configuration, it's easy to figure out which
> key was used to login to an account; the audit trail can be managed
> that way.
> - - Managing which users have access to which root accounts is trivial
> this way: just add or delete their keys from .ssh/authorized_keys[2].

Totally agree.

-- 
Tyop?
http://altmylife.blogspot.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists