tech-security: Re: sshd Change: PermitRootLogin = non

Subject: Re: sshd Change: PermitRootLogin = non
To: Curt Sampson <cjs@cynic.net>
From: James Ponder <james@squish.net>
List: tech-security
Date: 09/10/2001 01:14:45
On Sun, Sep 09, 2001 at 04:08:27PM +0900, Curt Sampson wrote:
> With it set to "no", you do not get in with just the root
> password. Further, you do not get in with just a wheel user password,
> either; further exploits are necessary. This is the whole point: FURTHER
> EXPLOITS ARE NECESSARY.

> That's really all security is, is making it harder to do something.

I suppose NetBSD should become closed-source because that'd make it
harder for people to attack it?  I suppose you'd also like the NetBSD
team to stop being full-disclosure for the same reason?  Just think of
the improved security you could get with these two measures :-)

Wouldn't it be a far better idea to assume that your hacker has access
to all information and resources currently known and then base your
solution on that?  If security-feature Y can be circumvented then
security-feature Y is useless.  'su' can be circumvented (trivially) so
to me it's useless, and any discussions on the merits of login activities
should take this into account.

> So I agree with your implied (but perhaps unintended) conclusion here:
> this change makes the system more secure.

I realise I'm repeating myself here, but I believe su gives so little
added security that you can negate its existance.

So, in my view, to get root access (wrt this issue):

without remote root logins:
a) a wheel user password goes astray
b) a wheel user runs a potential "problem" program (maybe something as
   simple as "man" but I'm thinking here of mail clients, etc.)
c) someone shoulder-watches a user password being typed

with remote root logins:
a) a root password goes astray
b) someone shoulder-watches a root password being typed

(and it's 1am here and I'm tired, so if I missed anything... ;) )

In my view there is a much higher probability that a user would choose
the same password on multiple systems than they would choose the same
root password.

In my view the majority of people allowed to become root do so from their
user account where they perform other activities.

In my view in a login / su environment it is just as likely you can
shoulder watch a user password as it is a root password.  The sysadmins
who have to type 'su' need to login after all.

Contra, there is no accounting.  Since the only way this is any good is by
having remote syslogging, in my view this is not going to be a priority
for the majority of users.

Plus the ssh timing problems which have been explored by others.

So compared to login / su, I'm still a 'direct root login' advocate...

Even if none of this is persuasive to you, surely you must at least have
some doubt as to how clear-cut this change is?  Coupled with the simple
fact that this is not the default setting with openssh?


Best wishes, James
-- 
James Ponder; www.squish.net; London, UK