Talk:Security (Why FreeBSD?)
(Stupid and wrong argumentation for dissalowing root login via ssh) |
|||
Line 8: | Line 8: | ||
--[[User:Jimbo|Jimbo]] 21:14, 12 Sep 2004 (GMT) | --[[User:Jimbo|Jimbo]] 21:14, 12 Sep 2004 (GMT) | ||
+ | |||
+ | == Stupid and wrong argumentation for dissalowing root login via ssh == | ||
+ | |||
+ | While we agree on the conclusion, that root login should not be allowed by default, the argument given in the previous section is FUD, wrong, void and makes me wonder if one can trust what else is said about BSD. To use John the Ripper you need read access to /etc/password '''and''' /etc/shadow, where all modern linux´s keep the encrypted passwords. You need to be root to read /etc/shadow as it is always installed 0600 uid root. So if you can read /etc/shadow you already have root access, which means you have no reason to run the john, as you know the root password already. | ||
+ | |||
+ | The reason not to allow root login is simple. You want the root´ing people to authenticate as an ordinary user first, in order to track the su´ing people down in the logs (assuming they do not remove themselves from the logfiles ...). |
Revision as of 20:17, 4 December 2004
is there going to be a "how to tighten your machine" section or article? I don't mean line-by-line "here's how to setup a firewall" but stuff like changing password hashing to use blowfish rather than DES or MD5, killing the MOTD etc etc
-d.
There is if you write it, which you certainly have my blessing to do.
--Jimbo 21:14, 12 Sep 2004 (GMT)
Stupid and wrong argumentation for dissalowing root login via ssh
While we agree on the conclusion, that root login should not be allowed by default, the argument given in the previous section is FUD, wrong, void and makes me wonder if one can trust what else is said about BSD. To use John the Ripper you need read access to /etc/password and /etc/shadow, where all modern linux´s keep the encrypted passwords. You need to be root to read /etc/shadow as it is always installed 0600 uid root. So if you can read /etc/shadow you already have root access, which means you have no reason to run the john, as you know the root password already.
The reason not to allow root login is simple. You want the root´ing people to authenticate as an ordinary user first, in order to track the su´ing people down in the logs (assuming they do not remove themselves from the logfiles ...).