[ On Thursday, September 6, 2001 at 22:05:12 (+0100), James Ponder wrote: ]
> Subject: Re: sshd Change: PermitRootLogin = no
>
> The fundamental flaw in prefering login / su is that anyone can modify su to
> record the password typed once they have gained access to that user (via
> something as simply as a PATH or shell change in .profile or other
> mechanisms that have been discussed).

I'm guessing you're talking about use of a Trojan-style program to trick
the user.

Having once upon a time written, on a certain Seventh Edition Unix
system, such programs in every available programming language which
could either manipulate the stty settings or do per-keystroke I/O
(including some add-on languages such as a BASIC interpreter) I can
certainly understand your point!  ;-)

However for the same reasons I would suggest to you that you'd have to
be either very fast and smart in your attack against me.  For example
you'd have to make sure I didn't notice that my account had been used at
a strange time from a strange place.

It also wouldn't take me very long to learn to make religious use of a
"trusted path" kind of feature in SSH or similar before using 'su'....
(eg. and I could implement such a thing without very much effort by
putting a few simple hacks in all the sshd servers and slogin clients I
use)

> User accounts are more likely to have services that can be compromised,
> perhaps web sites, servers, mail readers, irc/talk clients, the list is
> endless.  People do not consider after having read an email that doing
> 'su' could be revealing the root password to a user who has compromised
> their user account.

This is quite true in general, though not so likely in any environment
where security is always kept in mind.  For example I personally don't
allow any passwords to be used in the clear for any services over any
public network segments, and I repeatedly remind users never to use
their login password for any other purpose whatsoever.

> Imagine the situation where you have a physically secure machine (your
> workstation) and you use key based remote root login to maintain your
> boxes.  The root password has been locked out.  You log in without ever
> transmitting a password using your unique personal key.  This is my
> situation, and whilst it may be unique, I believe I am using remote ssh
> root logins safely and it is increasing the security on my box over
> login / su.  Of course, being no expert in such matters I'd welcome any
> comments to the contrary.

You're comparing apples to oranges here....

Certainly use of personal keys without any multi-use passwords is a more
secure way to use SSH and in that situation direct root logins are not
as much of a risk.

However out-of-the-box that's not the way NetBSD works by default.
Until NetBSD defaults to using only some kind of certificate-based or
PKI authentication for all forms of root access that's not going to be
possible either.

> I find the change from the default of allowing root logins very strange,
> all I can see is more people thinking login / su is inherently safe and
> root ssh logins inherently unsafe which IMHO is just not true.

You're already using a custom configuration -- what's the difference to
you if you also have to change one more parameter?

> On an aside note, I do think it would be nice if ssh logged key
> access to syslog (it didn't the last time I looked) so that the argument
> for tracking who becomes root is not valid.

Hmmmm..... yes that's incredibly important too!

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods@acm.org>     <woods@robohack.ca>
Planix, Inc. <woods@planix.com>;   Secrets of the Weird <woods@weird.com>