SU vs. ssh root at host

Phillips, John john.phillips at calanais.com
Wed Feb 28 21:09:07 EST 2001 

I agree that it is desirable to login as root. 

In our environment we have 12 admin's looking after around 750
workstations/servers. Our ideal is to use openssh with keys and the Openssh
patch which identifies which key has been used to login as root. This gives
a degree of security and accountability.

But when somebody leaves/starts then somebody has to go around all the boxes
and add/remove userids or keys, so logging in directly as root is necessary
with password as well unless we get into complex expect scripts etc.

I realize that this may not be the "most secure" method, but I think we need
to trade off risk against operational effectiveness.

John

(John.Phillips at calanais.com) Unix Support, Calanais Ltd
Internal Phone: 700 2643 External Phone: 0141 568 2643


> -----Original Message-----
> From: John Hardin [mailto:johnh at aproposretail.com]
> Sent: 27 February 2001 16:38
> To: OpenSSH Development List
> Subject: Re: SU vs. ssh root at host
> 
> 
> mouring at etoh.eviladmin.org wrote:
> >
> > 1) On a fully secure system 'root' should *NEVER* be 
> allowed to be logged
> > in remotely.  This includes localhost because it's possible 
> to spoof such
> > things (Granted this is my view, but it's a view that has 
> been drilled
> > into me since I first started in the UNIX community in 92).
> 
> And me since 1988.
> 
> > This also has no useful bearing on OpenSSH project.  So 
> this thread is at
> > at an end so useful work can be done. =)
> 
> I disagree. I'm finding it very useful as an administrator 
> (granted it's
> noise to developers). The discussion here has caused me to review my
> reasoning behind modifying the default sshd_config to disable root
> logins as I build our internal RPMs. This is not a bad thing 
> to do every
> so often.
> 
> Both sides have made good points, but a consensus has not been reached
> yet. Can we reach a consensus and update the default 
> configuration files
> (if necessary) to reflect it?
> 
> --
>         John Hardin
>         Internal Systems Administrator
>         Apropos Retail Management Systems, Inc.
>         <johnh at aproposretail.com>  -  (425) 672-1304
>

More information about the openssh-unix-dev mailing list