Functionality
Tom Holroyd
tomh at po.crl.go.jp
Fri Apr 27 11:25:35 EST 2001
> > What he is proposing is for OpenSSH to disregard a system-wide policy
> > decision -- that root should not be permitted to directly log in from
> > the network. There are more reasons to disable remote logins as root
> > (vs. normal login then su) than just to prevent plaintext use of the
> > root password; for example, audit trails for a group of admins or site
> > security policies. This patch would violate the expected behavior of
> > the system.
As we all know, disabling remote root logins as a security measure is an
old policy from the days before strong authentication methods. As pointed
out above, there *are* other issues, but they also have other solutions.
These days, normal login followed by su is less secure than allowing a
direct root login.
ssh -l user host
su
<root password exposed to traffic analysis>
vs.
ssh -l root host
<with hostbased, public key, and SRP>
and if you want a better audit trail:
root:x:0:0:root:/root:/bin/sh
fred:x:0:0:root:/root:/bin/sh
joe:x:0:0:root:/root:/bin/sh
frank:x:0:0:root:/root:/bin/sh
where they all have different passwords (and 'root' has no valid password).
A weirder idea would be to write a version of su that talks to the
ssh-agent, but ssh-agent can't ask for passwords right now...
Of course, OpenSSH should not attempt to dictate policy.
More information about the openssh-unix-dev
mailing list