[ On Saturday, September 1, 2001 at 09:14:49 (+0100), Tim Preston wrote: ]
> Subject: Re: sshd Change: PermitRootLogin = no
>
> Greg A. Woods wibbled one day
> 
> > If any significant number of the NetBSD administrating population are
> > wanting to login directly as root in any fashion whatsoever (i.e. by SSH
> > or on any other terminal but /dev/console) then I'd be rather surprised
> > and dismayed.
> 
> I think you're assuming there is one 'holy grail' security setup. In the
> real world there are so many external factors this can never be the
> case.

Perhaps I should have qualified that with "multi-user" somehow, but I
though that would be fairly obvious in the context of this thread....

I don't know what "real world" you live in, but in my "real world"
nobody ever logs in directly as root except on the physical consoles on
any machines I manage, and they only login on the console when a system
needs shutting down or some such thing.

(that said I do manage boxes which have root-level trust of one central
administrative host since I know that I can always audit who has used
root privileges on the admin host at any given time, and I know that
there are no completely untrusted users who are allowed any form of
access to the admin host)

> I've always taken the view that any 'user' on any system can gain 'root'
> level access if they try hard enough and long enough. My views on
> security reflect this.

Ah, well, that's a potential threat indeed, however the risk level is in
general rather low.  First off it's not something that's very easy for
even an extreme systems expert do do, especially on modern NetBSD
(unless a serious human error is made and not caught and fixed in time);
and secondly it's not very easy for anyone to get away with attempts to
do so over a long period of time (at least not on any reasonably well
managed system).

A serious attacker won't likely take this approach, and a casual
attacker who lucks out and discovers an accidentally created hole won't
likely have the expertise to do anything useful with that knowledge
without getting caught (and as such the casual attacker can often be
deterred simply by maintaining a strong perception of active regular
auditing and management).

The point in this thread is/was to ensure that the *default*
configuration of NetBSD is such that it's more difficult for for any
attacker to gain un-auditable access even if the root password is
accidentally revealed in some way.

> More than a few of my boxes ONLY allow root logins and don't have any
> 'user' accounts. I'll keep it that way thank you ;)

Well, so long as only one person knows that root password then you're
not any worse off....  However if more than one person has that sole
authentication token then you have no internally verifiable mechanism of
identifying the external real-world person who logs in.  Whether this is
critically important or not obviously depends on the specific purpose
of the machine(s) in question and the degree of trust each authorised
person has for the other.

In any case that's your choice -- and I'm assuming you're expert enough
to configure your systems to make it so.  This discussion is/was focused
on the relative merits of allowing such a _potentially_ dangerous
configuration to be the default in every generic freshly installed system.

> Security is not a black and white issue unless you start turning boxes
> off and sealing them in concrete ;)

Well, that's true until/unless you start talking about generalities,
which is _entirely_ what this thread is about.

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods@acm.org>     <woods@robohack.ca>
Planix, Inc. <woods@planix.com>;   Secrets of the Weird <woods@weird.com>