Re: Why Disable Root ssh login?

[Douglas Tutty <dtutty@porchlight.ca>]

On Sat, Dec 16, 2006 at 08:57:04PM -0800, Steve Lamb wrote:
 
>     As an example look at my system(s).  I have a handful of accounts.  Some
> for friends and family, some for processes I don't want trampling all over my
> hard drive, and in the middle of that is mine.  Mine is the only one that has
> any sudo access at all.  Even so the sudo access I give myself is extremely
> limited and nowhere near full access.  So compare bare root versus your if on
> my real world example.
> 
>     Bare root:  username known, password unknown.
> 
>     My account: username known (presuming they read this), password unknown,
> sudo installed, minimal programs given root access, root's usename known,
> password unknown.
> 
>     Which looks more secure to you?
> 
 

You could create a special account (the only one allowed to su) with a
random long username just like a long password and an equally long
password.  In effect, it doubles the key length.  How long can a
user-name be?  It does make it more annoying for you when you want to
use it.  

Does any of this apply if you're only allowing root login from a trusted
network?  If you need ssh access from the internet, can you allow root
login from the local net and not from the internet?  My guess is that
between the ssh and pam configs you could.

Doug.