[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <985b1a3d0702021938p2106dddeu87e7293500e49680@mail.gmail.com>
Date: Sat, 3 Feb 2007 04:38:41 +0100
From: "Tyop?" <tyoptyop@...il.com>
To: chedder@...d.shaw.ca, full-disclosure@...ts.grok.org.uk
Subject: Re: (Psexec on *NIX)
On 2/2/07, chedder1@...il.com <chedder1@...il.com> wrote:
> On Fri, Feb 02, 2007 at 04:51:36PM +0100, Tyop? wrote:
> > On 2/2/07, Raj Mathur <raju@...ux-delhi.org> wrote:
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA1
> > > On Friday 02 February 2007 12:08, Valdis.Kletnieks@...edu wrote:
> > > > On Fri, 02 Feb 2007 13:25:11 +0800, Eduardo Tongson said:
> > > > > On 2/2/07, Xavier Beaudouin <kiwi@....net> wrote:
> > > > > <>
> > > > > > Allowing direct root login even with SSH is IMHO stupid...
> > > > > Please elaborate why is it IYHO stupid.
> > > > In environments where more than 1 person has root access, allowing
> > > > direct login to root means you can't keep an audit trail of which
> > > > person logged in.
> > > >
> > > > And if your environment only one person has root access, that's
> > > > just looking for a DoS if the one person is hit by a bus.....
> > >
> > > I believe we have had this discussion before, but I'll iterate my
> > > beliefs in favour of allowing direct root access again:
> > >
> > > - - Password management is a bitch. I don't remember passwords for
> > > about half the accounts I have. Using a key-based root login, I
> > > don't need to remember those passwords either. If you take the sudo
> > > route, every user has to remember each password for each account,
> > > unless you take the deprecated route of reusing passwords (or
> > > *horrors* allow sudo without password).
> >
> > key-based login without passphrase is like eating cheese without
> > bred. useless (IMHO).
> >
> > > - - With a little bit of configuration, it's easy to figure out which
> > > key was used to login to an account; the audit trail can be managed
> > > that way.
> > > - - Managing which users have access to which root accounts is trivial
> > > this way: just add or delete their keys from .ssh/authorized_keys[2].
> >
> > Totally agree.
> ... i eat cheese without bread
It's dangerous.
--
Tyop?
http://altmylife.blogspot.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists