On October 5, 2004 12:02, s. keeling wrote: > > i'd be surprised if allowing remote root logins would create any sort of > > resultant liability issues. > > "In some jurisdictions ..." US tort law is broken. Any nitwit can > drag you into court and sue you with few to no ramifications. At > least here, the loser generally has to pay court costs.
which is why OpenSSH itself and virtually all Linux distros ship with root logins permitted? hm. where did you get your legal information, btw? > > ........................... in fact, it's probably easier for a cracker > > to > > .......................................^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ >^ > > > gain root once local to the box than it is to do so remotely using a > > password > > ..^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > Is that not an argument in favour of forcing them to get a local > account first?!? re-read what i wrote, i don't think you understood it the first time through. or maybe i wasn't clear enough, so let me try again: brute forcing a root password via ssh is pretty noisy, and you've (hopefully ;) got a LARGE search space to go through. brute forcing a user password is just as difficult, and nearly as noisy. but usually those passwords are easier to get at via means other than brute force guessing. gaining root once you have a local account via exploiting any number of local bugs that may exist is often easier and usually completely silent. even if there aren't local exploits available, it's quieter to brute force locally than remotely. ergo, simply offering remote logins is, from a legal liability standpoint, a hazard at least equal to if not more than offering root logins directly. which was my point: if legal liability is an issue, you shouldn't have remote logins turned on at all. for anyone. period. this is obviously a rediculous and stupid idea, which is what leads me to believe that your claim that there would be legal liability attached is bogus. that and the afformentioned fact that everyone ships with that as a default, even those distros that won't distribute mp3 libraries due to legal issues. > If you have any reasonable justifications to throw away good security > practices, by all means, tell us. "It's a pain" is hardly in that > category. did i say any of that? nope. put that strawman back in the cornfield, please. -- Aaron J. Seigo _______________________________________________ clug-talk mailing list [EMAIL PROTECTED] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
