:: Re: [DNG] Beware
Top Page
Delete this message
Reply to this message
Author: Didier Kryn
Date:  
To: dng
Subject: Re: [DNG] Beware
Le 19/01/2016 22:58, Stephanie Daugherty a écrit :
>
> On Tue, Jan 19, 2016 at 4:12 PM, Arnt Karlsen <arnt@???
> <mailto:arnt@iaksess.no>> wrote:
>
>     ..why did Debian kill ssh into localhost?
>     Is su or sudo safer than ssh nowadays?

>
>
>
> Because the architecture of Linux gurantees that root has a fixed
> account name, fixed UID, and, if in a server environment, will be
> essentially a shared account, it's considered a long standing best
> practice to not let people log in directly as root, at least not
> remotely. This makes sure there's an audit trail of logging in with
> the unprivileged user and then elevating to root, rather than just the
> root login that doesn't indicate which of possibly several users was
> responsible. It also means a brute force against the root account is
> more difficult to automate, since you need to attack an umprivledged
> account first, and it offers a little bit of protection against a weak
> root password.


     I guess you are talking of the default /etc/ssh/sshd_config. But it 
is the role of the (veteran) admin to edit this config file, and ssh 
provides a per address-range configuration. Therefiore it is very easy 
to allow root login from localhost, or even from the LAN, while 
forbidding it from other addresses.


     man sshd_config says:


Match   Introduces a conditional block.  If all of the criteria on the
              Match line are satisfied, the keywords on the following lines
              override those set in the global section of the config file,
              until either another Match line or the end of the file.


              The arguments to Match are one or more criteria-pattern pairs.
              The available criteria are User, Group, Host, and 
Address.  The
              match patterns may consist of single entries or 
comma-separated
              lists and may use the wildcard and negation operators 
described
              in the PATTERNS section of ssh_config(5).


              The patterns in an Address criteria may additionally contain
              addresses to match in CIDR address/masklen format, e.g.
              “192.0.2.0/24” or “3ffe:ffff::/32”.  Note that the mask length
              provided must be consistent with the address - it is an 
error to
              specify a mask length that is too long for the address or one
              with bits set in this host portion of the address.  For 
example,
              “192.0.2.0/33” and “192.0.2.0/8” respectively.


              Only a subset of keywords may be used on the lines following a
              Match keyword.  Available keywords are AllowAgentForwarding,
              AllowTcpForwarding, AuthorizedKeysFile, 
AuthorizedPrincipalsFile,
              Banner, ChrootDirectory, ForceCommand, GatewayPorts,
              GSSAPIAuthentication, HostbasedAuthentication,
              HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication,
              KerberosAuthentication, MaxAuthTries, MaxSessions,
              PasswordAuthentication, PermitEmptyPasswords, PermitOpen,
              PermitRootLogin, PermitTunnel, PubkeyAuthentication,
              RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset,
              X11Forwarding and X11UseLocalHost.