[Novalug] ssh as root ( beating a dead horse into the ground)

Tue Mar 6 18:21:48 EST 2012

On Tue, 2012-03-06 at 18:03 -0500, John Holland wrote: 
> >>Long live DenyHosts :) On any public facing box, I would always
> install DenyHosts or one of it's "siblings" >>to automatically block IPs
> that scan or do trial and error ssh access attempts. It's not perfect,
> but it >>does stop most bots. And no, that doesn't mean SSH should allow
> root access when using DenyHosts.
> 
> OK,
> about this root access:
> 
> what if the machine is a personal one that only I will ever access via
> root? What if I have a really really good password and change it
> periodically?

You don't need it and hence you shouldn't make your system more
vulnerable than necessary. If your goal is to have an open system and
you don't care about security then this discussion can be avoided. We're
talking about what provides you with a safe and secure setup and best
practices to do that. Of course you're free to do otherwise - but you
should read into this thread that it's not a good practice to ever login
as root. That doesn't mean people don't do it - and there's a good deal
of those who do, who live to regret it (eventually).

> I still suggest that if a user account has full sudo it amounts to about
> the same thing as root. 

No. Unless you find yourself writing "sudo" at every command. Without
being root, you avoid making mistakes as "rm -rf / mytmp/bla" and having
it become a disaster.  It makes you stop and think about what you do -
as you only invoke sudo when absolutely necessary. On top of this,
you're asked for credentials too, and your actions are logged. All of
which are not the case if you're logging on directly as root.

> And su requires sending the root password.  I
> don't want to be running a server that I can't have full control over
> from a remote location.

su is very old and I would try not to use it. At least with pam we can
add additional security features to su, but still - it's really not
necessary to become root. It's a great tool the other way around though.

> On the subject of passwords, has anyone else seen the suggestions that
> passwords like "tango filet church hobo" are actually more secure then
> "a(*][-Lo" type things, or "sw0rdf1sh" type things? In other words real
> words but a longer total instead of trying to use funny characters. They
> are easier to remember that way.

I'll let other people deal with this. Passwords are really a legacy
thing. Most people tend to use the same password over and over which
defeats the purpose regardless of it's complexity. I which more apps
would use fingerprint readers or key based authentication instead of
passwords.

-- 
Best Regards
  Peter Larsen

Wise words of the day:
As the poet said, "Only God can make a tree" -- probably because it's
so hard to figure out how to get the bark on.
		-- Woody Allen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://calypso.tux.org/pipermail/novalug/attachments/20120306/c4785611/attachment.bin 