Re: Root login

To: debian-security@lists.debian.org
Subject: Re: Root login
From: Vincent Deffontaines <vincent@gryzor.com>
Date: Mon, 08 Sep 2008 13:02:25 +0200
Message-id: <[🔎] 48C50641.9070503@gryzor.com>
In-reply-to: <[🔎] 20080904144754.35fb0014@halmanfloyd.lan.local>
References: <[🔎] 48BF9844.3040001@vodafone.it> <[🔎] 200809041325.13553.krzywicki.pawel@gmail.com> <[🔎] 20080904144754.35fb0014@halmanfloyd.lan.local>

Marek Kubica a écrit :

On Thu, 4 Sep 2008 13:25:13 +0100
Paweł Krzywicki <krzywicki.pawel@googlemail.com> wrote:

the solution was as Cerbelle said. Login as a normal user and do
sudo ( or you can activate root login from the login menu; but i
personally consider it really dangerous!)
I am wondering why this is dangerous?If your password is seen as "strong" "FaG34#fCFD12drtfdg" something
like this for example why this is dangerous?


The point is, that 1) not too many people use strong passwords 2)
having root access allowed makes it harder to break in, since the
username is known as it is always "root". User-accounts might be named
pawel, pawelk, krzywicki or be completely unknown for the attacker.



Greetings,

Even though this principle is true, it seems to me it is not inapplication on every system.


Try to login on any Lenny box console with an invalid account.
You will get "Incorrect login" without being prompted for a password at all.

I tend to consider this as a quite bad bug, but it seems it has been sofor a while in Lenny, and even in upstream PAM.


Vincent

Reply to:

Follow-Ups:
- Re: Root login
  - From: "s. keeling" <keeling@nucleus.com>

References:
- Root login
  - From: "kishore@vodafone.it" <kishore@vodafone.it>
- Re: Root login
  - From: Paweł Krzywicki <krzywicki.pawel@googlemail.com>
- Re: Root login
  - From: Marek Kubica <marek@xivilization.net>

Prev by Date: Re: Can not login as root
Next by Date: Stefan Schuerger ist außer Haus.
Previous by thread: Re: Root login
Next by thread: Re: Root login
Index(es):
- Date
- Thread