tech-install: Re: sshd won't allow access by root

Subject: Re: sshd won't allow access by root
To: William Allen Simpson <wsimpson@greendragon.com>
From: Greg A. Woods <woods@weird.com>
List: tech-install
Date: 09/27/2002 15:06:57
[[ this is really a netbsd-users question, not a technical issue with
the NetBSD install process.... ]]

[ On Friday, September 27, 2002 at 07:11:56 (-0400), William Allen Simpson wrote: ]
> Subject: sshd won't allow access by root
>
> And SSH wouldn't let me login as root.
> 
> I understand not allowing telnet login to root on network ports, I agree.  
> However, SSH is a secure method of login.  There's no added benefit in 
> having another su user.  That's ancient thinking. 

No, it's not, at least not in most general circumstances.  Any login as
root from an arbitrary network address might not leave any audit trail
of which human user is responsible for the actitivies of that session.

The only time a direct root login is generaly considered "secure" is
when there's an external audit trail showing who is responsible (a card
swipe audit on the machine room door, or a human security guard noting
the physical access to the machine, etc.)

> I don't really want "user" accounts on my headless DHCP/DNS/MRTG servers. 
> I certainly don't want to have to install them time after time, and train 
> staff to use them.
> 
> Where do I look to correct this egregious sin in NetBSD?

Well, there's still the issue of password guessing.  Are you 100%
certain that you'd notice any and all attempts to login as root from the
network and that you could respond quickly enough to limit damage if
some attacker did happen to guess your root password?

Yes, you still need to audit all access to each machine, but many
experts agree that making an attacker guess two passwords, and making
the attacker do this guessing in an environment where you have full
control over his or her activities (including ability to audit and
detect such suspicious activities before damage occurs), is better than
letting them guess the superuser password and gain direct and immediate
superuser access over the network where the window for damage being
done, even to the extent where all evidence of the compromise has been
erased and any backdoor is undetectable, is much smaller.  Two seconds
access as root can compromise a box in such a way that the damage is
totally undetectable without forensic analysis of the carcass on the lab
bench.

There are indeed other issues with use of unix passwords and 'su' of
course, but they are somewhat separate and are solvable by other means
(eg. one-time passwords, etc.).

(Well, I suppose if you only allow SSH connections from known trusted
hosts, and you pre-load the public keys for known client hosts on the
server and never automatically accept more, and you really do 100% trust
the client hosts and their own audit trails, then perhaps you could
allow direct root logins via SSH.  That means no non-unix clients, no
latptops or public-access machines, no access from any client at
significant risk, etc....)

-- 
								Greg A. Woods

+1 416 218-0098;            <g.a.woods@ieee.org>;           <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>