On Thu, Sep 06, 2001 at 06:50:52PM -0400, Greg A. Woods wrote:
> However for the same reasons I would suggest to you that you'd have to
> be either very fast and smart in your attack against me.  For example
> you'd have to make sure I didn't notice that my account had been used at
> a strange time from a strange place.

If I attacked your mail client, my buffer overrun code might have installed
a listening port waiting for commands or somesuch that would not be logged
as a login event (e.g. a la code red).

> It also wouldn't take me very long to learn to make religious use of a
> "trusted path" kind of feature in SSH or similar before using 'su'....
> (eg. and I could implement such a thing without very much effort by
> putting a few simple hacks in all the sshd servers and slogin clients I
> use)

Well, the only way this could really work is if you disable all profiles
for your wheel accounts because as soon as something is run or sourced a
trojan shell could be exec'd - the trojan shell can then record all
keypresses and perhaps even look out for vi/more access on the tampered
files.  However, I'm not really thinking about what you or I do, but rather
what the masses do - a security expert can modify a system to be as secure
as they want - but the general masses just use what they believe they
are supposed to, and there lies my problem, disabling root logins via ssh
means the only way under netbsd to login as root to a box is by going through
a user account and I don't think users are sufficiently knowledgable in
general to use their wheel user accounts in a safe way.

> For example I personally don't allow any passwords to be used in the
> clear for any services over any public network segments, and I repeatedly
> remind users never to use their login password for any other purpose
> whatsoever.

Again, my perspective in this conversation is that the majority of unix
users these days are not knowledgable enough to realise the impact of
their actions when it comes to typing a command such as "su", and that
the change to deny remote root logins over ssh is just going to encourage
this bad practice (IMHO).  There may be occasions where su is completely
safe and does increase security but I think these are few and far between.

> Certainly use of personal keys without any multi-use passwords is a more
> secure way to use SSH and in that situation direct root logins are not
> as much of a risk.
> 
> However out-of-the-box that's not the way NetBSD works by default.
> Until NetBSD defaults to using only some kind of certificate-based or
> PKI authentication for all forms of root access that's not going to be
> possible either.

I think perhaps you've hit the nail on the head.  I think I hate su :-)
I think su should be removed and an alternative found.  I think ssh can be
this alternative.  There, I said it!


Best wishes, James
-- 
James Ponder; www.squish.net