[ale] SSH attempts

Michael H. Warfield mhw at WittsEnd.com
Fri Sep 16 14:41:10 EDT 2011


On Fri, 2011-09-16 at 13:55 -0400, Jim Kinney wrote: 
> But if you lock the root account you're hosed in emergency run level 1.
> Instead set securetty to only be local console and use sudo for all else.

Agreed...  But you can also do this in sshd_config.  Just don't allow
remote root login.  If you do it that way, you can also then allow a
"loop through" ssh authenticated login to root through local host
(127.0.0.1 and ::1).  I do this on a couple of systems for root and
other local-only accounts.  There are places where I prefer sudo and
there are places I like "ssh root at localhost".  Each has its place and
its use and doesn't preclude the occasional use of root on a hard
console, virtual console, or serial console.

> On Sep 16, 2011 1:47 PM, "Michael B. Trausch" <mike at trausch.us> wrote:
> > On Mon, 2011-09-12 at 17:40 -0400, Bob Toxen wrote:
> >> Disabling root ssh and requiring one first to ssh in through another
> >> account and su'ing or sudo'ing to root is not as effective as the
> >> above solutions and may diminish security, in my opinion.
> >
> > Okay, so I can understand why that would be the case for giving accounts
> > access to su (but if you're doing that, then you haven't locked the
> > password for the root user anyway), but sudo is a totally different
> > animal.
> >
> > What I do on all my systems these days is this:
> >
> > * I run "passwd -l root", so that root cannot login by any means
> > (because its password is locked).
> >
> > * I create a group for full system administrators (that is, people
> > that can run "sudo -i" or "sudo -s" to the root user account).
> >
> > * If the system has subadministrators, I configure sudo for that.
> > For example, on a system that runs a phone system (say, FreeSWITCH),
> > the phone system runs as a certain user. I'll create a group for
> > people who are allowed to become that user, and then configure sudo
> > to enable people to change their uid to that user so that they can
> > administer the phone system. Same goes for a Web administrator or
> > DBA. Such people would, therefore, not allowed to become root
> > (because they have no need to do so).
> >
> > * If there are people who have to run single commands as root, I will
> > configure sudo to enable them to do so (as long as it's not a command
> > that will spawn a subshell or something). All bets are off if it can
> > spawn a subshell, of course, but as long as it is a well-behaved
> > single-task program, it is usually fine.
> >
> > The sudo command can be used to create a very fine-grained system where
> > people can only gain access to the privileges that they need in order to
> > get their work done. It _can_ take a little bit to engineer an
> > appropriate configuration, but once that's done, sudo takes care of the
> > logging and all of that for you.
> >
> > There are even ways to make it possible to have fully functional system
> > administrators that can do everything _except_ change the sudo
> > configuration or certain items like system logs, though that is slightly
> > outside of the scope of sudo itself.
> >
> > All that to say that proper use of sudo significantly enhances system
> > security, not the opposite.
> >
> > --- Mike
> >
> > --
> > A man who reasons deliberately, manages it better after studying Logic
> > than he could before, if he is sincere about it and has common sense.
> > --- Carveth Read, “Logic”
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20110916/3c8e8120/attachment.bin 


More information about the Ale mailing list