Talk:Security (Why FreeBSD?)
(Stupid and wrong argumentation for dissalowing root login via ssh) |
(Nope.) |
||
Line 14: | Line 14: | ||
The reason not to allow root login is simple. You want the root´ing people to authenticate as an ordinary user first, in order to track the su´ing people down in the logs (assuming they do not remove themselves from the logfiles ...). | The reason not to allow root login is simple. You want the root´ing people to authenticate as an ordinary user first, in order to track the su´ing people down in the logs (assuming they do not remove themselves from the logfiles ...). | ||
+ | |||
+ | == Nope. == | ||
+ | |||
+ | You can't attempt to crack the hashes directly when root login is allowed, but you CAN attempt a brute-force or dictionary attack against the root account using an SSH plugin. If root login isn't allowed, you can't do that, because you first need to know the name of an account that is a member of the wheel group, THEN you need to know its password, THEN you need to find the password for root. The original argument stands; you simply misinterpreted it. | ||
+ | |||
+ | --[[User:Jimbo|Jimbo]] 23:40, 4 Dec 2004 (EST) |
Revision as of 23:40, 4 December 2004
is there going to be a "how to tighten your machine" section or article? I don't mean line-by-line "here's how to setup a firewall" but stuff like changing password hashing to use blowfish rather than DES or MD5, killing the MOTD etc etc
-d.
There is if you write it, which you certainly have my blessing to do.
--Jimbo 21:14, 12 Sep 2004 (GMT)
Stupid and wrong argumentation for dissalowing root login via ssh
While we agree on the conclusion, that root login should not be allowed by default, the argument given in the previous section is FUD, wrong, void and makes me wonder if one can trust what else is said about BSD. To use John the Ripper you need read access to /etc/password and /etc/shadow, where all modern linux´s keep the encrypted passwords. You need to be root to read /etc/shadow as it is always installed 0600 uid root. So if you can read /etc/shadow you already have root access, which means you have no reason to run the john, as you know the root password already.
The reason not to allow root login is simple. You want the root´ing people to authenticate as an ordinary user first, in order to track the su´ing people down in the logs (assuming they do not remove themselves from the logfiles ...).
Nope.
You can't attempt to crack the hashes directly when root login is allowed, but you CAN attempt a brute-force or dictionary attack against the root account using an SSH plugin. If root login isn't allowed, you can't do that, because you first need to know the name of an account that is a member of the wheel group, THEN you need to know its password, THEN you need to find the password for root. The original argument stands; you simply misinterpreted it.
--Jimbo 23:40, 4 Dec 2004 (EST)