Functionality

Tom Holroyd tomh at po.crl.go.jp
Fri Apr 27 11:25:35 EST 2001


> > What he is proposing is for OpenSSH to disregard a system-wide policy
> > decision -- that root should not be permitted to directly log in from
> > the network.  There are more reasons to disable remote logins as root
> > (vs. normal login then su) than just to prevent plaintext use of the
> > root password; for example, audit trails for a group of admins or site
> > security policies.  This patch would violate the expected behavior of
> > the system.

As we all know, disabling remote root logins as a security measure is an
old policy from the days before strong authentication methods.  As pointed
out above, there *are* other issues, but they also have other solutions.
These days, normal login followed by su is less secure than allowing a
direct root login.

	ssh -l user host
	su
	<root password exposed to traffic analysis>

vs.

	ssh -l root host
	<with hostbased, public key, and SRP>

and if you want a better audit trail:

	root:x:0:0:root:/root:/bin/sh
	fred:x:0:0:root:/root:/bin/sh
	joe:x:0:0:root:/root:/bin/sh
	frank:x:0:0:root:/root:/bin/sh

where they all have different passwords (and 'root' has no valid password).

A weirder idea would be to write a version of su that talks to the
ssh-agent, but ssh-agent can't ask for passwords right now...

Of course, OpenSSH should not attempt to dictate policy.




More information about the openssh-unix-dev mailing list