Aaron Toponce schreef:
SQL injecting and web forms will not work for ssh directly, unless you have a very poorly configured apache+mysql-config. Of course there are ways of obtaining someone's password. Shared key seems more secure, with a good policy for guarding the keys. I am not arguing that. It is just that when you disable root logins there's in principle an extra layer of protection. This 'in principle' of course only helps when done properly, thus not reusing passwords etc. The fact that a compromised user account = a compromised machine is of course very true. However, when detected it might be that the attacker did not manage yet to get root permissions. Thus, it buys some time.On Thu, Feb 24, 2011 at 04:51:30PM -0600, Boyd Stephen Smith Jr. wrote:For example, you might let one user "sudo" without a password, disable root logins via ssh, have every other user (including root) be disabled in /etc/shadow, disable password logins via ssh, and have all other non-root users have a bogus shell like /bin/false. That user of course only have one entry in authorized_keys, and it is a 4242-bit key.Or you could an SQL injection, or you could attack a web form, or you could...
Sjoerd
Attachment:
signature.asc
Description: OpenPGP digital signature