also sprach Crispin Wellington <crispin@aeonline.net> [2002.07.31.1645 +0200]:
> > you did. bad idea.
>
> Why is it a bad idea? Any compromise of ssh will give the user root
> anyway because it runs at user level root.
accounting...
> > why need it?
>
> X forwarding.
>
> I use ssh-agent, with
>
> alias root='ssh -X root@localhost'
>
> And my key in root's authorized_keys.
>
> Saves constantly retyping the password
if i ever find a box of yours, i'll have instant root. it's bad for
two reasons:
(a) you are allowing root to login directly, and that not only from
localhost. you have no chance to see who actually just became
root.
(b) you get an unrestricted root shell. with sudo, you get granular
control of what you can do. the last time i had to get into
a root shell was like last year. i do everything through sudo
and everything works. and yet, i would never succeed to
`rm -rf /` by accident.
> > sudo sudo sudo sudo sudo!
>
> xauth xauth xauth xauth!
>
> Or do you use xhost +localhost (shudder).
no need with sudo.
anyway, explain just why xhost +localhost is so much worse that ssh -X
localhost. it's definitely faster.
--
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck
it may look like i'm just sitting here doing nothing.
but i'm really actively waiting
for all my problems to go away.
Attachment:
pgpBx5l8LV1Xs.pgp
Description: PGP signature