ssh - NO SALE or NO GIVE ?

Pekka Savola pekkas at netcore.fi
Tue May 22 00:12:44 EST 2001


On Mon, 21 May 2001, Markus Friedl wrote:
> On Mon, May 21, 2001 at 04:51:22PM +0300, Pekka Savola wrote:
> > There is a significant difference related to _account management_ here;
> > I'm sure you can see it. :-)
>
> i can see what you want. however, i still think that nobody
> should ever login as root. the root account should never be
> used at all. you can use su/sudo if you need privileges.
> you should never use the root account do do any work. just
> kill/start or cp files.

Never say never, is what I say ;-).  I never log on as root on my home
systems, private company systems etc.  This is easyish when there are only
<5-10 separate systems to use.

The real crux happens when you have, say, _50_ different servers.  You
_don't_ want to be managing accounts manually there (and personally, I
don't want to use stuff like NIS for sensitive data like this), and it's
easier to just use root.

If using root can be made more controllable (e.g. the publickey-only
option), this is only better. :-)

> it happens much more often that general accounts are added
> then privileged accounts are removed. so you need to update
> the userdata-base on a regualar basis anyway.

Except on servers that have only privileged accounts.

This is a smaller problem if account management problem must be solved for
the regular users in the same box too; then, adding/removing users/etc. is
probably not so big a bother.

> if you want to lock out people fast, put them into a unix
> group and add a DenyGroup or AllowGroup to sshd_config

In this scenario, this would require that either all people belong to that
group (and everyone would be shut out) or user would have to added to that
group, necessitating a management act (one that could be automatized a
little easier than plain adduser/rmuser, though).

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords




More information about the openssh-unix-dev mailing list