John Galt <[EMAIL PROTECTED]> writes:
> that's what happened--the EPIC hole gave user. monkey.org (Dug Song) was
> using standard security practice at that point, it's just for
> convenience's sake, the user had a few things screened, including a
> rootshell, probably because of the traditional Co
hi ya john
On Wed, 26 Jun 2002, John Galt wrote:
> On Wed, 26 Jun 2002, Alvin Oga wrote:
> >
> >if an attacker got in ... as a user game over... they got in ???
> > - question is what damage can they do as "user" ...
>
> that's what happened--the EPIC hole gave user. monkey.org (Dug So
Travis Cole <[EMAIL PROTECTED]> writes:
> On Wed, Jun 26, 2002 at 02:11:00PM +0200, InfoEmergencias - Luis Gómez wrote:
> > Hi all
> >
> > Messing up with sshd_config for all the privsep stuff, I've
> > noticed that PermitRootLogin was set to yes in my three woody
> > boxes. I usually consider t
On Wed, 26 Jun 2002, Alvin Oga wrote:
>
>hi all
>
>if an attacker got in ... as a user game over... they got in ???
> - question is what damage can they do as "user" ...
that's what happened--the EPIC hole gave user. monkey.org (Dug Song) was
using standard security practice at that
Alvin,
If the cracker can get in as a user, it's merely a matter of time before they
can worm their way into becoming root. Defenses against this are difficult, the
NSA version "SELinux" deliberately places great restrictions on user abilities
to try to prevent just such things. But I don't thi
hi ya
in order to update 10, 100 boxes ... with new setof changes..
you do NOT need to login into any of um ... many different ways to update
each target box based on some "master distribution server"
-- you do want to test the updates in a test farm before it goes out to
production and prot
hi all
if an attacker got in ... as a user game over... they got in ???
- question is what damage can they do as "user" ...
if an attacker get in the same way as root... game is really over...
as they now have complete control of yoru machine..
- i prefer to disallow root l
On Wed, Jun 26, 2002 at 02:11:00PM +0200, InfoEmergencias - Luis Gómez wrote:
> Hi all
>
> Messing up with sshd_config for all the privsep stuff, I've noticed that
> PermitRootLogin was set to yes in my three woody boxes. I usually
> consider this a problem (although it has been my fault - i shoul
That's how monkey.org got taken over--they SCREENed a su, and the attacker
reattached it after getting as user via EPIC...
On 26 Jun 2002, Christian Egli wrote:
>
>Simon Kirby <[EMAIL PROTECTED]> writes:
>
>> Using "su root" later is worse than just logging in as root with a key.
>
>I cannot un
On Wed, Jun 26, 2002 at 02:11:00PM +0200, InfoEmergencias - Luis Gómez wrote:
> Hi all
>
> Messing up with sshd_config for all the privsep stuff, I've noticed that
> PermitRootLogin was set to yes in my three woody boxes. I usually
> consider this a problem (although it has been my fault - i shoul
I think there may be a compromise solution here...
In short: it is good to make people log in as a normal user before trying
to log in as root, because that way an attacker needs to compromise a
normal user before starting on root. The standard way of doing this is
to use "su", but that only acce
Sebastian Rittau <[EMAIL PROTECTED]> writes:
> On Wed, Jun 26, 2002 at 02:11:00PM +0200, InfoEmergencias - Luis Gómez wrote:
>
> > IMHO, we'd better set it to no. I always thought it was much better. Is
> > there any landscape in which you may want to allow direct root login to
> > your host?
>
El mié, 26-06-2002 a las 16:39, Sebastian Rittau escribió:
> Yes, there is. For example I have some servers that retrieve their user
> information from a database. If the database is not reachable, an
> ordinary user can't login, but root can, since it's the only local
> account with login privileg
On Wed, Jun 26, 2002 at 02:11:00PM +0200, InfoEmergencias - Luis Gómez wrote:
> IMHO, we'd better set it to no. I always thought it was much better. Is
> there any landscape in which you may want to allow direct root login to
> your host?
Yes, there is. For example I have some servers that retrie
On Wed, Jun 26, 2002 at 05:08:32PM +0200, Christian Egli wrote:
> Simon Kirby <[EMAIL PROTECTED]> writes:
>
> > Using "su root" later is worse than just logging in as root with a key.
>
> I cannot understand why using "su root" later would be worse. Can you
> enlighten me?
Sure.
In all cases,
On Wed, Jun 26, 2002 at 04:05:58PM +0200, Christoph Ulrich Scholler wrote:
On Wed, Jun 26, 2002 at 02:11:00PM +0200 or thereabouts,
InfoEmergencias - Luis Gómez wrote:
> Messing up with sshd_config for all the privsep stuff, I've noticed that
> PermitRootLogin was set to yes in my three woody
Simon Kirby <[EMAIL PROTECTED]> writes:
> Using "su root" later is worse than just logging in as root with a key.
I cannot understand why using "su root" later would be worse. Can you
enlighten me?
--
Christian Egli
wyona: research & development
http://www.wyona.com
--
To UNSUBSCRIBE, email
On Wed, Jun 26, 2002 at 04:05:58PM +0200, Christoph Ulrich Scholler wrote:
> On Wed, Jun 26, 2002 at 02:11:00PM +0200 or thereabouts, InfoEmergencias -
> Luis Gómez wrote:
> > Messing up with sshd_config for all the privsep stuff, I've noticed that
> > PermitRootLogin was set to yes in my three w
On Wed, Jun 26, 2002 at 02:11:00PM +0200 or thereabouts, InfoEmergencias - Luis
Gómez wrote:
> Messing up with sshd_config for all the privsep stuff, I've noticed that
> PermitRootLogin was set to yes in my three woody boxes. I usually
> consider this a problem (although it has been my fault - i s
I tend to set it to "without-password" to allow a remote root entry only
via RSA/DSA keys, also making sure to restrict it further with as many
applicable options for "AuthorizedKeysFile" ( man sshd )
This is done as a restricated remote root backdoor as well as automated
network backups via dump
On Wed, Jun 26, 2002 at 02:11:00PM +0200, InfoEmergencias - Luis G?mez wrote:
> IMHO, we'd better set it to no. I always thought it was much better. Is
> there any landscape in which you may want to allow direct root login to
> your host?
rsync where you want to keep userid/groupid info.
--
GOVE
>Is
> there any landscape in which you may want to allow direct
> root login to
> your host?
I allow it to my firewall, since there isnt any other account on there. but
then again, that system only listens to my internal interfaces.. So, not
typical maybe?
--
To UNSUBSCRIBE, email to [EMAIL P
Hi all
Messing up with sshd_config for all the privsep stuff, I've noticed that
PermitRootLogin was set to yes in my three woody boxes. I usually
consider this a problem (although it has been my fault - i should have
checked and noticed this much time ago). What do you think of this?
IMHO, we'd b
23 matches
Mail list logo
