On Thu, 6 Sep 2001, James Ponder wrote:

> Imagine the situation where you have a physically secure machine (your
> workstation) and you use key based remote root login to maintain your
> boxes.  The root password has been locked out.  You log in without ever
> transmitting a password using your unique personal key.  This is my
> situation, and whilst it may be unique, I believe I am using remote ssh
> root logins safely....

In your circumstances, depending on the security of the key you're using,
yes. But I'll note from the very first you are are still protecting
against the same thing my change is protecting against: you can't get
root on that box with just the root password.

However, it seems to me that the other attack you posit (a trojan for su)
is still open: just gain access to your machine and trojan ssh.

cjs
-- 
Curt Sampson  <cjs@cynic.net>   +81 3 5778 0123   http://www.netbsd.org
    Don't you know, in this new Dark Age, we're all light.  --XTC