On Monday, 22.01.2007 at 09:11 -0500, Roberto C. Sanchez wrote: > On Mon, Jan 22, 2007 at 10:07:19AM +0000, Dave Ewart wrote: > > as root. The system is never used in a non-root context. > > Therefore, to manage this system I set up no further users other > > than root, and install my SSH key in root's account, then > > reconfigure SSHd to allow root logins via key only (so that even > > someone knowing the root password is unable to login via SSH, unless > > it's me with my SSH key); I have > > I certainly hope that you have a strong passphrase on the private key > and that you have good physical protection of the host which contains > the private key. That's an absolute necessity, yes. I would never consider such an approach if the 'client' machine was in an insecure location, or 'remote' (which is the same thing, in my eyes). > > The above example flies in the face of the usual advice, but that's > > because the circumstances are different and possibly rather extreme. > > I don't really need accountability, because I'm the only one with > > access. "Adding a non-privileged user and using sudo" would > > actually provide less security, because it is adding an additional > > potentially-compromisable account to the server. > > > I don't agree. If you take the same precautions and only allow public > key logins for the unpriviledged users, then you have exactly the same > level of vulnerability. If you then *completely* disallow remote root > login, then you have lowered your vulnerability even more since the > potential remote attacker would need to first compromise the private > key and passphrase for the unpriviledged account and then *still* need > to figure out the root password or some other means of gaining root > access locally. Yes, your point is correct, although see below about 'convenience'. > > I'm sure I'm opening myself to some criticism by mentioning the > > above; please *read* what I've written before replying with "You > > shouldn't ever use root directly", because I don't believe that's an > > appropriate criticism in this case. ;-) > > I did *read* it, BTW. I just think that your rationale that you are > just as safe as using only an unpriviledged user account is wrong. > Now, if you only accessed the machine locally, then you might have a > point. However, for anything that allows remote access across an > untrusted and/or public network, your approach is slightly more > vulnerable than it needs to be. Thanks for reading and understanding my point. To be honest, I tend to use this approach on private LANs or in conjunction with additional security measures (such as VPN). I think your point is valid: however, given the environment in which I would use such as setup, the 'convenience' factor makes it worthwhile. > > As always, so long as one properly considers the implications and > > carefully assesses the risks versus conveniences of any particular > > setup, you should do fine. > > > Good point. Many people seem to forget that the driver for taking a > risk should be "the potential bad things that can happen if anything > goes wrong" versus "the benefit I gain from taking the risk." Absolutely. It would be nice if this approach was more widespread ;-) Cheers, Dave. -- Please don't CC me on list messages! ... Dave Ewart - davee@sungate.co.uk - jabber: davee@jabber.org All email from me is now digitally signed, key from http://www.sungate.co.uk/ Fingerprint: AEC5 9360 0A35 7F66 66E9 82E4 9E10 6769 CD28 DA92
Attachment:
signature.asc
Description: Digital signature