on Tue, Jan 24, 2006 at 03:44:34PM -0800, Paul Johnson ([EMAIL PROTECTED]) wrote: > On Tuesday 24 January 2006 08:36, Juraj Fedel wrote: > > On Mon, Jan 23, 2006 at 04:26:47PM -0300, Jos? Pablo Ezequiel Fern?ndez > wrote: > > > On Mon 23 Jan 2006 15:53, Andreas Janssen wrote: > > > > Are root logins allowed on the server? What does the server's auth.log > > > > say? > > > > > > That was it, thank you! > > How do you enable root login if they are disallowed? > > Don't. Log in as a normal user and use su or sudo.
Most preferably sudo. The reason being: while it's still possible that a user account may be compromised: 1. If you're using sudo, not 'su', then you may be able to keep the root password from being a widely known secret. Which is to say, not a secret. Very poor (if however, common) practice. 2. You can now identify *which* user account is compromised. If you can do this *before* root is compromised, you may be able to both prevent a root compromise *and* block that user from accessing until they've resecured their own authentication tokens. 3. Even should root be compromised, following a restore/rebuild of your system from known trusted media, you can then limit access by the account(s) known to be untrusted. Pariticularly if you limit remote SSH access to other than persistent password tokens (e.g.: public key authentication, one-time passawords, password generators, etc.). While it's true that evil evildoers of evil can do things like wipe logs (you *do* have a remote, separately authenticated logging host, right?), you've got a much better likelihood of being able to determine the route by which an attacker gained access to your system and take appropriate countermeasures. Suddenly finding out that "root isn't trusted" and having nothing to go on is a markedly worse situation. Peace. -- Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/ What Part of "Gestalt" don't you understand? MX Radio - With Bob Edwards, who needs NPR? http://www.xmradio.com/
signature.asc
Description: Digital signature