Re: PermitRootLogin enabled by default

To: Christian Egli <christian.egli@wyona.com>
Cc: Debian-Security <debian-security@lists.debian.org>
Subject: Re: PermitRootLogin enabled by default
From: Simon Kirby <sim@netnation.com>
Date: Wed, 26 Jun 2002 08:33:44 -0700
Message-id: <[🔎] 20020626153343.GB12485@netnation.com>
In-reply-to: <[🔎] 87sn3aqdqn.fsf@wyona.com>
References: <[🔎] 1025093461.508.17.camel@adelita> <[🔎] 20020626160558.B28373@fnb.tu-darmstadt.de> <[🔎] 20020626145951.GA12485@netnation.com> <[🔎] 87sn3aqdqn.fsf@wyona.com>

On Wed, Jun 26, 2002 at 05:08:32PM +0200, Christian Egli wrote:

> Simon Kirby <sim@netnation.com> writes:
> 
> > Using "su root" later is worse than just logging in as root with a key.
> 
> I cannot understand why using "su root" later would be worse. Can you
> enlighten me?

Sure.

In all cases, you always depend on the security of the client, whether it
be protecting a key on the filesystem or protecting the keystrokes from
being logged.  If the client is compromised, anything can happen,
regardless of if the client has to enter one password, two passwords, a
key with one passphrase, or a key with ssh-agent.  So, let us look at the
server.

If the server is compromised, often a password sniffer and/or trojaned
SSH or su daemon will be installed.

With passwords, as soon as the next administrator logs in and enters the
password, via su or via ssh, the password will be decrypted to cleartext
by the server for verification and thus logged.  If this password happens
to be used on any other server, the attacker will have access to those
servers (you could have a different password for every server, but often
this does not happen in practice).

With keys, nothing special happens.  The server can either allow or
refuse the connection, and logging will accomplish nothing other than
being able to determine the public key (which would already have to be on
the server anyway).  The attacker cannot obtain any password or private
key information.

This combined with the fact that logging in as root (preferrably with a
key) makes things like "scp" and other non-interactive programs possible
over SSH.  I don't see any reason _not_ to log in directly as root. 
Logging is the only potential issue, but that can be fixed by altering
the log level in sshd_config.  (Remember we're talking about root access
here.  Anybody with root access can alter logs and/or transmit decoy
logging entries to remote logging servers, etc., so logs for root logins
aren't really that useful except for the "Alright, who broke it?" case.)

Simon-

[        Simon Kirby        ][        Network Operations        ]
[     sim@netnation.com     ][     NetNation Communications     ]
[  Opinions expressed are not necessarily those of my employer. ]

-- 
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: PermitRootLogin enabled by default
  - From: Andrew Sayers <andrew-date-2002-06-26@ccl.bham.ac.uk>

References:
- PermitRootLogin enabled by default
  - From: InfoEmergencias - Luis Gómez <lgomez@infoemergencias.com>
- Re: PermitRootLogin enabled by default
  - From: Christoph Ulrich Scholler <scholler@fnb.tu-darmstadt.de>
- Re: PermitRootLogin enabled by default
  - From: Simon Kirby <sim@netnation.com>
- Re: PermitRootLogin enabled by default
  - From: Christian Egli <christian.egli@wyona.com>

Prev by Date: Re: PermitRootLogin enabled by default
Next by Date: Re: PermitRootLogin enabled by default
Previous by thread: Re: PermitRootLogin enabled by default
Next by thread: Re: PermitRootLogin enabled by default
Index(es):
- Date
- Thread