On Mon, 3 Sep 2001, Bill Studenmund wrote:

> No, at least on macppc and i386, we mark the video console (ttyE0 etc.)
> and all direct connect serial ports (tty00 through around tty07) as
> secure. I don't think at any point you've tried to argue that a modem
> connected to a serial port constitutes a "secure" connection. I do admit
> that we don't enable the serail ports (so there would be some
> configuration action before a modem on a serial port accepted logins), but
> we do mark them as "secure".

Ah, you're right; this is my mistake. I personally think that these
should not be marked as "secure," only the console. However, I don't
really give a damn any more so I'm not going to bother making the change.

> I must say I don't see why the root password is so holy it needs to be
> protected by having to come in as another user and su. Yes, I understand
> the advantage of doing an su, and I do that (log in as me and su when I
> need to do root stuff) even on systems which permit root to login. But I
> don't think it's as sacred as this thread makes it out to be.

That's no problem. I agree that there are many circumstances where
allowing direct root logins is fine and desirable.

> If you can't
> trust your admins enough that you are not comfortable with them being able
> to directly log in as root rather than having them login as him/herself
> and then su, why did you give them the root password in the first place?

Whoops! Another straw man!

1. This security measure is intended as a defense aginst people I've
NOT given the password to.

2. There are, anyway, conceivable circumstances where I didn't trust
them that much but had to give them the root password anyway, but I'm
not going to bother arguging that point.

> As for the, "it's now two passwords to crack," arguement, I don't think
> that buys you much. Theo, in private communications, pointed out a paper
> presented at usenix (that I admit I haven't read) which idicates that you
> can snoop ssh trafic and see when someone is doing an su, and how long a
> password s/he typed. So if you're in the cracking mood, you find who does
> sus, attack such a person's account, and install a snooper.

Right. And this is just as easy as "ssh foo" followed by typing the
password? No, I don't think so.

For every single security measure out there, there's an attack that
can get around it. That doesn't mean that we should abandon all of our
security measures.

> I guess part of my concern is that, as reflected in my thoughts above,
> this change doesn't really make things more secure.

It does, in that you've just pointed out how much harder it is to do an
attack that gets you root with this measure in place.

> (*) For instance, how often do you review your authorized keys file? If
> I'm being a naughty admin and the boss admin has made it so that we have
> to su first, some time when I'm doing legit root stuff, I add a new key to
> your authorized keys file and reset the m & a times so it's not obvious.
> Then I log in as you using the key, and then su to root, and crack away.
> Then it looks like you or at least your account was at fault. Oh, and I
> remove the key & reset the a & m times when I'm done if I'm feeling really
> sneaky.

Again, much more work. So this measure is still protecting me against
someone unsophisticated who has my root password but nothing else.

cjs
-- 
Curt Sampson  <cjs@cynic.net>   +81 3 5778 0123   http://www.netbsd.org
    Don't you know, in this new Dark Age, we're all light.  --XTC