Subject: Re: sshd Change: PermitRootLogin = no
To: Tero Kivinen <kivinen@ssh.fi>
From: RJ Atkinson <rja@inet.org>
List: tech-security
Date: 08/31/2001 11:17:59
At 09:29 31/08/01, Tero Kivinen wrote:
>I think it is better to change the root password to be secure instead
>of turning off the root logins. 

        Your mileage varies.  

>I do not understand how it makes it more secure to type in two 
>(quite often identical) passwords instead of one. 

        Auditing.  And in my experience it is very unusual for
the root password to be identical to *any* user password.

>Note, that this will also break all automatic adminstration scripts
>people might have. Another option could be to change it to nopwd, in
>which case you can login using the rsa keys etc (provided the public
>keys are put to .ssh directory) but does not allow login with password
>authentication. This does not break the adminstration scripts, but
>still prevents adminstrators to login as root directly by typing the
>password.

        Given the history of protocol security flaws in SSH, 
it would be silly to enable RSA authentication and use automated 
scripts like that, IMHO.  SSH is useful, but a prudent system
administration strategy is to use both belt and suspenders
-- so disabling RSA authentication and requiring passwords
(preferably one-time passwords) inside the SSH channel.

>Of course it is actually safer to login directly as root, than using
>the su command, as the su command is vulnerable to the timing attacks.

        That claim is not necessarily true, given the history of problems 
with both SSH the protocol and various implementations of SSH.

>Login directly with ssh is not vulnerable to that kind of attack, as
>the password is sent out as one request.

        No, instead one attacks the SSH implementation or flaws in
the SSH protocol (SSHv1 is still widely deployed, to pick an
obvious example) and the result is just as bad for the system 
attacked.

Ran
rja@inet.org