Prevent remote root logins - Security

This is a discussion on Prevent remote root logins - Security ; Michael Paoli wrote: >> How is that different from having several persons that know the root >> password? > > You stick the "root" (the one and only superuser account, customarily > root[1]) password in a highly opaque, well sealed, ...

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2
Results 21 to 24 of 24

Thread: Prevent remote root logins

  1. Re: Prevent remote root logins

    Michael Paoli wrote:

    >> How is that different from having several persons that know the root
    >> password?

    >
    > You stick the "root" (the one and only superuser account, customarily
    > root[1]) password in a highly opaque, well sealed, tamper resistant
    > envelope, then lock that up in "break glass in case of emergency"
    > container, in front of multiple videotaped video cameras, inside your
    > highly secure vault behind your mantrap(s) (okay, so some
    > environments may be roughly like that).


    What he said. This is what I and my sysadmin staff did at $FIRM, a once
    well-known Linux support company.

    If someone hypothetically found a way to lose that envelope, then it's a
    darned good thing that any of us could break in from the physical
    console in our sleep, if need be. ;->

    Mediating superuser access via sudo introduces useful logging (no, _not_
    in any way proof against malign root-user intruders, but quite handy for
    normal accountability auditing), and automatically times out privilege,
    making it less likely to clobber things by mistake.

    --
    Cheers,
    Rick Moen Habetis bona deum.
    rick@linuxmafia.com

  2. Re: Prevent remote root logins

    boomboom999@yahoo.com wrote:
    > Thank you Lew
    >
    > Could you explain why having more than one "UID 0" could be a problem?
    >
    > Thank you in advance
    >

    There are a couple of good reasons why you shouldn't. First, users are
    identified by their UID. This means that to the logfiles and
    permissions on the system, these users all look the same. If anyone
    does anything that causes a problem (intentionally or not), you have no
    way of confirming who it was.

    Second, users should not be logging in with a UID 0 account at all. If
    each user has a non-privileged account that is capable of using sudo,
    then the worst that happens it that they have to type a password once or
    twice when they wouldn't have had to previously (note that this is still
    the same password used for login). Since they're logging in over SSH
    (note it should be version 2 - SSH1 is insecure), there's no real
    disadvantage to this other than the 2 seconds of inconvenience.

    You get a number of benefits from this:

    Sudo logs everything that the user does - this makes it much simpler to
    track down problems, be they accidental or otherwise.

    You can give and limit permissions at a very fine level; you could have
    a user that needs to be able to restart apache and modify its settings,
    for example. This user might have no need to be able to install a
    kernel module. In multi host environments, this also lets you give a
    user administrative rights on one host while only having a standard
    account on another host.

    The last reason should be fairly obvious - the user can run programs
    without root privileges. If the user needs to launch a web browser to
    download a new version of a kernel patch, or to check a howto document,
    that web browser doesn't have to have write access to the entire system.
    This applies even remotely, since it might be impractical to sftp or
    scp the files in from the user's computer, especially if it's coming in
    on a slow link.

    Brendan Smithyman

  3. Re: Prevent remote root logins

    Brendan Smithyman writes:

    >boomboom999@yahoo.com wrote:
    >> Thank you Lew
    >>
    >> Could you explain why having more than one "UID 0" could be a problem?
    >>
    >> Thank you in advance
    >>

    >There are a couple of good reasons why you shouldn't. First, users are
    >identified by their UID. This means that to the logfiles and
    >permissions on the system, these users all look the same. If anyone
    >does anything that causes a problem (intentionally or not), you have no
    >way of confirming who it was.


    One reason for separate accounts awith uid 0-- You have 10 machines on
    which you are root and have a common password. Youwant to allow blogs to
    have access as root on machine A. You place a user altroot with uid 0 and
    with a separate password onto machine A that he can use.



    >Second, users should not be logging in with a UID 0 account at all. If
    >each user has a non-privileged account that is capable of using sudo,
    >then the worst that happens it that they have to type a password once or
    >twice when they wouldn't have had to previously (note that this is still
    >the same password used for login). Since they're logging in over SSH
    >(note it should be version 2 - SSH1 is insecure), there's no real
    >disadvantage to this other than the 2 seconds of inconvenience.


    >You get a number of benefits from this:


    >Sudo logs everything that the user does - this makes it much simpler to
    >track down problems, be they accidental or otherwise.


    >You can give and limit permissions at a very fine level; you could have
    >a user that needs to be able to restart apache and modify its settings,
    >for example. This user might have no need to be able to install a
    >kernel module. In multi host environments, this also lets you give a
    >user administrative rights on one host while only having a standard
    >account on another host.


    >The last reason should be fairly obvious - the user can run programs
    >without root privileges. If the user needs to launch a web browser to
    >download a new version of a kernel patch, or to check a howto document,
    >that web browser doesn't have to have write access to the entire system.
    > This applies even remotely, since it might be impractical to sftp or
    >scp the files in from the user's computer, especially if it's coming in
    >on a slow link.


    >Brendan Smithyman


  4. Re: Prevent remote root logins

    Unruh wrote:

    > One reason for separate accounts awith uid 0-- You have 10 machines on
    > which you are root and have a common password. Youwant to allow blogs to
    > have access as root on machine A. You place a user altroot with uid 0 and
    > with a separate password onto machine A that he can use.


    Why would you need to give him a uid 0 account for this? If you give
    him an unprivileged account and add the line

    username ALL=(ALL) ALL

    to your /etc/sudoers file, and then the user can become root using his
    own login password. It's the same privilege level, but with a measure
    of accountability. He can type "sudo command" to run a single command,
    or "sudo -s" for su like functionality. If you need to adjust it later,
    you don't have to restructure the entire account, you just remove the
    line from the sudoers file. You can even set it so that he doesn't have
    to type a password if you really want to, with

    username ALL=(ALL) NOPASSWD:ALL

    What can you do as UID 0 that you can't do as a user operating under sudo?

    Brendan Smithyman


    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.2.2 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFEQbmSeEdgP5u41wQRAqJ4AJ92ND5QolEcHMPM9oTgfe K8EO/eCwCeLreV
    eiSYLXpjRNjl9gEib78Oz8g=
    =rlHu
    -----END PGP SIGNATURE-----


+ Reply to Thread
Page 2 of 2 FirstFirst 1 2