Home > Admin stuff > No remote root logins (even with SSH)

No remote root logins (even with SSH)

May 19th, 2009

OK. Not really “Programming stuff” anymore. But still important:

Don’t allow remote root logins at all, even with SSH

Why not? Because:

  • User name of root is known, therefore the account is vulnerable for brute-force attacks
  • Working as root should be an explicit switch and not the default policy. Just like being aware of switching hats.
  • Bad for auditing, if multiple users have root access.

But now you say: “I don’t care as I use SSH for logins”.

  • Depending on the auth method, password is still transfered over the wire.
  • But using public key auth instead of passwords might be even worse. Still you have to trust all(!) clients that the private key is stored safely. Read:
  • “Good enough” passphrase.
  • There is no way to tell from the public key (which is the only thing known by the server), if the private key has a passphrase at all.
  • Trust the client system (that it is not compromised)
  • Auto lock of the client system must be enabled after a few minutes of inactivity.
  • Sensible use of background daemons like ssh-agent or Pageant(Putty for Windows) on client systems necessary. What if the users start the keyring app, enters his passphrase and never shuts down his system. And now imagine a laptop running out-in-the-wild without any local password protection having an open private key in its memory!

What to do? Dunno. Maybe:

  • Use “ordinary” user accounts
  • SSH with either public key or passwd auth (depending on your decisions reg the previous points)
  • Enforce sudo (better) or su (less better) to gain temporarily root privileges

Anything else???

Categories: Admin stuff
Comments are closed.